Are Cyber Security Professionals experiencing burnout?


Attention all Cyber Security Professionals (CSPs)! Are you over-looked, under-valued, too exhausted to monitor for attacks and, ultimately, experiencing professional burnout?

A recent report issued by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) at the end of 2017 researched the lives and experiences of CSPs. The results illustrated an escalating and dangerous game of cyber security ‘cat and mouse’. Cyber-adversaries are continuing to develop creative tactics, techniques and procedures for attacks. The security industry itself has exploded with new products and vendors to overcome this, with the cyber security market expected to be worth over $200 billion by 2022. But what about an individual company’s ability to identify and respond to a cyber-attack?

CSPs continue to reside on the front-line of this perpetual battle, tasked with applying limited resources as countermeasures and defending their organisations against a constant barrage of cyber-attacks. This constant battle to perform more advanced techniques is leading to stress and fatigue. The demands are outpacing the training and support that such professionals are offered by their organisations.

Many organisations tackle the fight with sub-optimal forces, with 45% of organisations claiming to have a problematic shortage of cyber security skills which lead to high rates of employee burnout and employee attrition. Jenson Knight has recognised that this has led to a chaotic cyber security market, highlighted by salary inflation and often aggressive recruiting tactics by some organisations. It is commonplace now for CSPs to be actively solicited to consider other roles at least once per week. This situation is exacerbated by the fact that there are more cyber security jobs than there are people to fill them.

Key findings of the report.

  • 66% of respondents felt that did not have a clearly defined career path (reasons cited include the lack of a well-defined, industry-standard, cyber security career lifecycle map, and rapid changes in the cyber security field itself).
  • 60% of CSPs are dissatisfied with their current jobs, many of which stated that their organisations were not providing an appropriate level of training for them to keep up with business and IT risks.
  • 49% are solicited to consider other cyber security jobs at least once a week (high attrition and salary inflation should be a top concern for all CISOs!).

Improvement actions suggested by respondents included:

  • Adding cyber security goals and metrics to IT and business managers (43%)
  • Documenting and formalising all cyber security processes (41%)
  • Hiring more CSPs (38%)
  • Solutions such as technology automation, SaaS offerings and managed security services could serve as alternatives.

CSPs were given 5 key pieces of advice:

  1. Invest more time in career development – map out your career progression to achieve your goals over time.
  2. Look into training and peers rather than security certificates to improve cyber security knowledge.
  3. Develop business skills throughout your career – ambitious professionals should focus on business processes and objectives and align them with risk management, cyber security controls and continuous monitoring.
  4. Take advantage of the seller’s market – look to organisations who provide training incentives, career development services and mentoring schemes to maximise job satisfaction.
  5. Anticipate and plan for cyber security skills shortage – assume that your organisation is short on people (even if it isn’t) and plan for this reality with compensating controls such as increasing dependence on managed/professional services, process automation and more use of advanced analytics technologies.

Organisations were advised to expect and face strong competition in attracting and retaining the best Cyber Security talent. The advice includes:

  1. Recruit CSPs from IT and beyond – target candidates who have worked with multiple technologies, have IT operation and networking technology experience and have experience with a background of collaborating with business managers on IT initiatives.
  2. Invest more in cyber security training.
  3. Provide career development advice and services.
  4. Assess job satisfaction in the cyber security department-look for areas of improvement and fine-tune problem areas.
  5. Anticipate cyber-attacks and data breaches.
  6. Take the cyber security skills shortage into account as part of your everyday initiatives and decisions – the majority of organisations will feel the impact of the skills shortage in one way or another.

If you can relate to the professional burnout that has been discussed in this report, or you are a Hiring manager who requires advice/assistance on attracting the hard-to-reach talent, get in touch with Jenson Knight – we’d be happy to discuss.