There is an oft-cited purportedly Chinese curse, “May you live in interesting times.” Certainly, these are interesting times for the cybersecurity industry, and a recent report shed some light on how our colleagues are coping.
Cybersecurity as a profession draws a fascinating array of people. Career development is as much a motivation as in other fields, but many of our colleagues feel a sense of duty, a calling to protect these most important systems from bad actors. In some ways, defending essential cyber infrastructure from the unrelenting Chimera of cybercrime is the new frontier, the realm of heroes in service of the greater good. Our colleagues are so committed, in fact, that even though 60% report that the profession is taxing on their work/life balance, and they cite several significant stress factors, 79% say that they are happy to work as security professionals. That is commitment that many other fields can only look on with envy.
The fifth annual report of the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) provides fascinating and alarming insights into the lives of cybersecurity professionals. Based on a worldwide survey of 489 ISSA members, the report confirms the industry-wide problem of skills shortage, but also delves deeper into its causes, and provides possible solutions.
The single biggest challenge to the profession for the last 10 years has been, and still remains, skills shortage. The crisis has reached over half (57%) of organisations, and 44% agree that it’s only getting worse. Its most cited consequences are an increasing workload (62%), unfilled open job requisitions (38%), and high burnout among staff (38%). More than three quarters of respondents say that it is difficult to recruit staff, and the effect is worst at mid-level (4-7 years experience). Most problems reported by respondents are rooted in the skills shortage.
The issue of skills shortage is twofold. First, there are the difficulties of recruitment, but once companies hire staff, their workload means they’re unable to keep up with training and further develop their skills.
The second major challenge reported lies in communication and relationships between cybersecurity professionals and other departments within organisations. Our colleagues are happiest when they feel integrated into decision making processes and product development from the onset, and grow frustrated when they are forced to address security needs in later phases of a project, more as an afterthought.
The Training Paradox
A consequence of the skills and staffing shortage is that those cybersecurity professionals who are already working within an organisation feel that the requirements of daily tasks get in the way of continued development. 91% of respondents agree that consistent training is essential to be able to keep up with evolving cyber threats, but 59% report that because of short-staffing, they are unable to manage both their workload and training. This, in turn, puts their organisations at risk. When the bulk of their time is taken up by putting out fires, burnout and loss of motivation ensue, which cause further issues.
To illustrate the need for continued training, consider how the adversaries have changed. In the past, hackers were tech-savvy teenagers, having fun breaching poorly secured systems. More than anything, they sought thrills or to do mischief. That character is now gone, only to live on in the narrative imagination of movies. For a few years now, hackers have turned from lone-wolves into organised crime syndicates—both state and private—intent on stealing intellectual property, extorting money from victims and stealing marketing plans and industrial secrets which they sell to company rivals. Their methods have become more sophisticated, their focus needle-sharp.
Today, organised cyber syndicates execute sophisticated projects according to their methodology: reconnaissance, attack planning, attack execution, lessons learned, and start again. So the bar for cybersecurity professionals is much higher and needs to start with prevention, where all employee training is key.
—René Sotola, senior strategy advisor to NewPush
A significant factor in job satisfaction, and subsequently productivity, is the level of stress employees have to face. As a direct consequence of increased need for remote worker support over the past year, 50% of respondents reported an increased stress level. Other contributing factors to higher stress include (1) finding out about projects that were started by other
teams with no security oversight (32%), (2) working with disinterested business managers (31%), (3) overwhelming workload (31%), and (4) constant emergencies that take professionals away from their primary tasks (30%). It seems that our colleagues want to be involved in project development right from the start, but are too busy coming up with ad-hoc solutions to do so. This directly results in staff burnout and attrition, which is especially dangerous, since it’s difficult to find applicants to vacant positions.
In some cases, stress has alarming ramifications. 28% or respondents said that they or a colleague had to deal with serious personal issues because of stress associated with the cybersecurity profession (i.e., drug abuse, alcohol abuse, depression, etc.).
The report focuses on stress associated with daily routine, especially in environments where understaffing puts further burden on employees. However, it’s clear that extraordinary circumstances increase the normal levels of stress even further. Wherever employees are overburdened, the organisation risks compromising their security, which increases the threat levels, and could easily lead to being targeted by bad actors. Dealing with the fallout of an attack is even more stressful, and could put professionals over their limits.
The report says that to help alleviate stresses caused by the pandemic, 36% of organizations instituted more CISO “check-ins” with staff, 32% created online social meetings for the cybersecurity team, and 24% added formal stress management programs driven by HR.
Another consequence of the skills shortage is frequent solicitation. 36% of respondents report that they receive calls from headhunters or emails about open positions at least once a week, and a further 33% said they are approached at least once a month. This is from all levels of positions. ESG and ISSA say that “this data reinforces the need for CISOs/CSOs and the organisations they work for to plan for staff and skills shortages by including plans for additional use of professional/managed services and process automation.”
Automation could alleviate some of the workload and associated stress that professionals have to deal with, which in turn leads to greater job satisfaction, and frees up time and energy towards training.
Although somewhat limited in scope, the report nonetheless offers valuable insights for management, and taking some of its suggestions to heart could lead to improvements in employee satisfaction and productivity.
First, it’s important to highlight just how crucial the role of a CIO & CISO is in an organisation. It is imperative that they are a key executive with the right budget, the right attitude and willingness to fight for their team. They have to convince their boards that cybersecurity is a worthwhile investment, and, paradoxically, as long as everything goes well, they’ll have nothing to show for it. A single attack has the potential to ruin a company, so a post-incident told-you-so attitude is no way forward. Business executives need to heed their CIO & CISO’s advice, include them in business decisions and development projects from the word go, and understand that cybersecurity processes are integral to the smooth running of every business.
The most important piece of advice to CIOs & CISOs from the report was “For goodness sakes, pay your people!” The report warns of losing “key security personnel who are being aggressively pursued by recruiters and other organizations constantly.” And suggests that management should fight to secure adequate budgets and do away with archaic personnel models in order to hold on to their most experienced employees, because staff with hands-on experience is key to any strong security strategy.
Executives are also strongly advised to make sure that security is integrated into decision making and product development. Many respondents reported middling-to-poor working relationships between their departments and HR (28%), line of business managers (28%), the board of directors (27%), and the legal team (27%). Poor relationships will lead to organizational friction, communications issues, human error, and ultimately, increased cyber-risk. It is best to facilitate a company-wide cybersecurity culture, and for CISOs and CIOs to move their departments closer to the business. Training, extended interdepartmental collaboration, and process reengineering are the best ways to achieve integration.
To address the skills shortage and the skills gap, more investment should be put towards training and skills development. This will not only help the business stay on top of evolving challenges, but also improve job satisfaction, bolster morale, and improve attrition rates.
In the long term, management is advised to develop a strategy to address the cybersecurity skill shortage. This is a complicated problem with no easy solution, but improving automation rates and augmenting staff with managed services can help. The goal here should be covering all security requirements while making the existing staff as efficient and productive as possible.
The last piece of advice the report offers is to “consider what’s necessary to make your organization an attractive landing spot for cybersecurity pros.” The aim is to retain existing personnel while recruiting new employees. Securing competitive compensation and benefits for continuing education and career development are the first things conscientious and experienced staff look for, while internship programmes, mentoring, and staff rotation create a pipeline from entry-level positions to experienced security professionals. Management may consider reaching out to professional organizations, local threat sharing groups, colleges and universities, and similar organisations to spread the word about the benefits working for their company.
These steps taken together can go a long way towards creating an organisation with a healthy work environment where experienced professionals will seek employment and which they will strive to make successful.
Our Own Affairs
We at NewPush feel acutely the struggles our colleagues in the industry face. As a company focussed solely on cybersecurity, we don’t have to grapple with the problems of inadequate security budgets or being left out of business decisions, but we see their effects everywhere. We have made it our mission to ease the burdens on our clients, and indirectly their employees, by providing automated cybersecurity solutions as well as help from dedicated professionals. Our goal is to create effective automated solutions that help by turning data into intelligence, speeding up the process of detection and monitoring.
In the beginning, cybersecurity was a shared element throughout our organisation. Then, in 2017, we dedicated a hit team of three experts solely to cybersecurity, and have grown the group to 27 employees, soon to be 50, with plans to expand to over 100 specialists in every office on three continents in the next year. Together, we protect the data of over 5 million individual users working in healthcare and education so that they can focus on their tasks, safe in the knowledge that their personal information is secure.
The Connective Platform™ integrates a host of cybersecurity tools into one system faster than any of our competitors, but that alone wouldn't give our partners the edge over cybercriminals. Simply gathering all the data from a number of connected elements would still require an army of experts to make sense of it; it's analogous to how gathering stock prices from markets all around the world doesn't tell you where to invest your money next. Our platform goes on to analyse that massive amount of data to give our partners the information they need: where the weak points of their cyber defence are, and how to address them.