Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

10/23/2019
09:00 AM
Kevin Coston
Kevin Coston
Edge Features
50%
50%

What Has Cybersecurity Pros So Stressed -- And Why It's Everyone's Problem

As cyberattacks intensify and the skills gap broadens, it's hard not to wonder how much more those in the industry can take before throwing in the towel.

I often find myself at industry events and meetings with colleagues engaging in casual chitchat about the current work environment and the challenges we as information-security professionals are currently facing. We typically share sighs of empathy as we relate common stories of how our weekends were nonexistent due to responding to a Priority 1 event. To make matters worse, we have continuing professional education credits that are due by the end of the month for one of our many expensive certifications, and we also need to walk our dogs and find time to cut the grass.

I often ask, why do we do this to ourselves? The hours are often brutal, the service is often thankless, the cyberattacks never seem to stop, and the strategies seem to be dated — all leading to a physically and mentally taxing game of whack-a-mole. As cyberattacks intensify and the skills gap broadens, it's hard not to wonder how much more infosec pros can take before throwing in the towel. Indeed, many of my colleagues are beginning to question whether the time and energy they are investing in developing their professional skill sets is netting them a positive ROI in the department of personal well-being.

It comes down to this: A mass exodus of overworked infosec professionals is a very real threat if we, as a community, don't take a closer look at the multitiered problems that are creating an environment ripe for job turnover and employee dissatisfaction.

What's Going On?
According to a 2018 study published by ISC(2), more than 84% of cybersecurity professionals said they were either open to new job opportunities or already planned on pursuing a new opportunity that year. Close to half (49%) said salary was not the main reason for their sentiment. Rather, 63% of respondents said they wanted to work at an organization where their opinions on the existing security posture were taken seriously.

The fact that more than three-quarters of the industry is willing to jump ship at any given time — or at least has given thought to the idea — should be setting off alarm bells, especially given the number of job vacancies market wide. The latter does not seem to be getting better anytime soon: In a recent study conducted by ESG, 53% of companies reported a problematic shortage in cybersecurity skills.

I wonder, though: Is there truly a skills gap, or are other factors at play that gives cybersecurity professionals their pick of the 2.93 million security jobs ISC(2) calculates are open (or at least needed) across the globe?

As a cybersecurity architect who has consulted for a number of different businesses across multiple sectors, I have noticed many common refrains among security and IT operations: "Our network security specialist just resigned for company B last week," "I just took over the security program a month ago," "We had a security director who was working on a maturity plan, but she was offered a position for $50K more than what she makes now," and the infamous, "We hired a new security engineer, but he didn’t show up on the first day because he ended up taking another offer." Given the time it takes to recruit, interview, screen, onboard, and train a new employee, one can see how this can be problematic for any business. But for a hyperfocused, specialized industry such as cybersecurity that is already experiencing a labor shortage, this could be potentially detrimental.

What's happening? There's no single answer. It seems to be a perfect storm of a competitive job landscape, the cost and lack of continuing education programs aimed at cybersecurity, and employee dissatisfaction with their companies' stance on information security all leading to resentment and, in extreme cases, job burnout.                   

Frustration Factors
Compensation in an extremely competitive market can be a driver of turnover in itself. According to recent data from tech staffing agency Mondo, salaries ranged from $120,000 to $185,000 for an information security manager and from $175,000 to $275,000 for a chief information security officer.

Yet, while these numbers sound great, salary is far from a singular indicator of job satisfaction. Feelings of dissatisfaction can arise when job expectations become unclear and an employee who may have been hired as a response analyst, for example, now finds himself wearing the hat of an integrations engineer, threat researcher, and fire watch captain.

Exacerbating the situation, many companies lack the personnel to fill critical security roles, which places a heavier demand on existing staff, often resulting frustration, burnout, and overall job dissatisfaction. When there are close to 3 million well-paying infosec positions and more vacancies expected to be created based on demand, it makes it extremely easy for a jaded employee to begin to look elsewhere, particularly when they have a highly in-demand skillset.

Speaking of skills, the demand for professionals to stay up to date with their training and education is driving many of them to look for higher paying positions given the increasingly hefty price tags that accompany higher education and professional certifications. Often the onus of obtaining certifications needed for specific positions falls at the feet of employees —another reason for their frustration, because we all know the cost of education continues to escalate.

In an industry where retraining and constant learning are at the core, it is easy to see how this can be a major stressor on the average infosec professional. Also of note, many universities are struggling to keep up with a curriculum that may change within a matter of months and often are lacking the resources to hire the proper personnel to educate future students.

Findings pertaining to the mental and physical health of cybersecurity professionals are also alarming. According to research conducted by Nominet, 25% of CISOs in the US and UK suffer from mental and or physical stress, with 20% turning to alcohol or drugs as a coping mechanism. Stressors ranged from fear of compromise, not enough budget to protect company assets, and concerns pertaining to visibility and proactively spotting new threats within their organizations.

This fatigue is not only being felt in the executive suite. In a worldwide study of 267 cybersecurity professionals conducted by ISSA and ESG, 40% reported their No. 1 stressor was keeping up with needs of new IT initiatives. Coming in at a close second was finding out about IT initiatives that were started by other teams within their organizations with no security oversight, cited by 39%.  

Call to Arms
I am not the biggest fan of clichés, but as the saying goes, "This is an everyone problem." Retaining and developing talent go hand in hand with creating a mature, robust security posture. Thwarting employee frustration and turnover starts with properly equipping security personnel with the tools to do their jobs, whether that be financial support for continuing education, creating a culture in the senior executive suite of security awareness and criticality, investment in more personnel, a more defined onboarding process, clearer career paths, or mental health services for individuals who may need them. For many infosec professionals, work becomes a personal mission — often a very thankless, invisible mission to the companies they serve.

Now it is up to organizations to adapt a motto that we as cybersecurity professionals live by: "The goal is simple: Protect the human and their well-being at all costs."   

Note: These are the personal views of Kevin Coston and not necessarily those of his employer.

(Image: pathdoc via Adobe Stock)

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kevin Coston is a cloud security architect at Akamai Technologies. He currently resides in Denver, Colorado, with his fiancé and three dogs. While not conducting security research or consulting with some of the world's largest corporations Coston enjoys spending his ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cbear42
100%
0%
cbear42,
User Rank: Strategist
10/30/2019 | 1:07:10 PM
It's Not the Bad Guys Who Are the Biggest Problem in Security
While all of the points in this article have validity - I can tell you what the biggest stressor is for many cyberpros. It's not coming from the "outside" - it's coming from the inside of corporations. Cyber people can deal with the criminals and even the hapless users who are human and make mistakes. They may be an annoyance - but we have the know how and can address those risks.

They're not the biggest problem.

The real stress is coming from C-level people who are more interested in speed than in (honestly) keeping their organization secure. It's the utter hypocrisy that allows lip-service to say  "we take security seriously" publicly - but starves the security team of the basic resources they need to do their jobs. (Case in point: I am an appsec architect, but there is no money for code assessment/scanning tools. I'm supposed to do it all manually, I guess. And, of course, that is impossible.)

The problem, of course, is that the above attitude rolls through the organization. It's the "security" meetings you don't receive invitations for (even though you're the only rep for security in the entire company). It's the decision to use a vendor before security reviews are even requested - because the CEO "knows" somebody. It's the request to review an vendor or an application immediately - because "we're going live tomorrow". It's the formal processes that you finally get into place, that are ignored. It's the issues you raise on a Slack channel that mysteriously go "private" when you inject that security should really be involved in the issue...and then comes back three days later "solved". It's lurking on Slack channels just to discover that four new vendors are being brought on board that you've never heard of. . .

I could go on and on. 

In other words, let us do our jobs, give us more than lip-service as support, fund us - and we will deliver and perform and be very happy.

But, create an environment like the above - and expect us to start looking for a company that does value our skills, experience and expertise. Because that WILL reduce our "stress".

 
Fahim@GTA
50%
50%
[email protected],
User Rank: Apprentice
10/24/2019 | 9:50:02 AM
Pretty much summarized the true nature of current tech industry
Kevin.
THANK YOU for publishing this article. You have pretty much summarized what's going on in the Information Security world. While there are some notable exceptions, this is our story in almost all business. Unfortunately, the management from "Business" who SHOULD be reading this article will likely not get to read this.


Another trend I have been noticing is that there are currently a lot of 'new' security-minded people suddenly being born. 'Product sales manager' suddenly becoming 'security sales expert,' 'Business liaison' to 'security liaison,' 'project manager' to 'security guru'... list goes on and on. It would have been beneficial for the future of business and our industry if all these people with new security title learned about their job before starting to talk about it in front of any C-suite team.


Well, I am already getting tired of seeing the show-off both online and offline; enough that I have erased most of my security-related skillsets from online profiles.

 

 
The Edge Cartoon Contest: Need a Lift?
Flash Poll