The average tenure of a chief information security officer lasts between one and two years, far less than the six years a chief financial officer or eight years a CEO typically spends at a company. This drastic difference is even more staggering when we add new data from the Ponemon Institute, which claims that around 65% of security professionals think about quitting due to burnout.
The world of cybersecurity and its associated stresses have grown significantly since then, and headlines are again warning that digital security is among the most stressful and demanding roles in today’s organisations.
“Cybersecurity officers and professionals have a lot to look after and that has consequences,” says Lior Arbel, co-founder of Security SAAS provider, Encore. “They need to keep in line with new security changes and threats, maintain skills in a very competitive labour market, develop security as digital business systems continue to evolve, and also cover the new fronts opened by hybrid working. Security professionals are constantly on their toes and often have to work long hours. That is taking a toll.”
Security’s stress problem
The price that cybersecurity professionals pay is evident in recent surveys probing the issue. A BlackFog survey of 400 security workers in the UK and US reveals a third are considering quitting their jobs due to stress and burnout. Email security vendor Mimecast produced a similar report: at least a third of cybersecurity staff want to quit within the next two years. And a Deep Instinct report estimates that stress is pushing 45% of senior and executive cybersecurity professionals to consider leaving.
Cybersecurity teams are the most likely to quit due to job-related stress, yet their actions are not isolated.
“Whatever impacts cybersecurity teams tends to have a ripple effect on other IT teams in a business. There are protocols and policies to ensure that security supports the business. When your security people start quitting or reduce performance due to stress, it creates a domino effect impacting other technology teams,” says Arbel.
What can companies do?
Cybersecurity will never be a stress-free occupation. It requires high levels of vigilance and a strong constitution for persistent attempts by online criminals. Suitably, cybersecurity professionals feel like protectors. They take on enormous responsibilities to ensure their companies stay safe.
But stress levels can get out of hand when they don’t have appropriate support. Says Arbel: “Companies should look after their security professionals but often they don’t do enough.”
What is enough? Companies should give more credibility and authority to cybersecurity leaders. This step is about more than just compensation. Cybersecurity heads, such as the Chief Information Security Officer, work with as many parts of the business as the most senior executives. They take on as many legal responsibilities and potential consequences, and they can frequently stand in the firing line, as the recent criminal prosecution of a former Uber CISO demonstrated.
“CISOs and their peers need more authority, control and direct engagement with the top of the company,” says Arbel. “Businesses should also create career paths to help security heads develop their business skills. These things often get neglected.”
Visibility reduces stress
A more immediate step is to improve the intelligence tools that security personnel use. Cybersecurity teams need more visibility of complex technology systems. Cybercrime is similar to a viral infection – it just needs one small gap to get in, and then it will increase. Cybersecurity pros must discover and close every gap in their systems. Too many lack that visibility.
“The visibility issue has become more serious. There are many systems that deal with different vectors of attacks, the challenge is that those systems are usually isolated and run by different teams across the organisation. Security teams now realise that they can’t rely on individual systems reporting their states. Security teams need to get visibility to the wider environment to understand their risk and find gaps. That data must be available and up to date – always. If you have to wait for a week to get data and then that data is incomplete, you might as well just guess because that will be more effective,” says Arbel.
Cybersecurity departments generally know about these problems, yet they struggle to convince their companies on the appropriate investments. The latter feel they already spend too much on security – how will spending more make them safer?
The challenge is that a lot of the cyber team’s time is spent collecting the data (often manually) to start and understand where they are exposed. They don’t always know what to prioritise. Having that visibility can save time for remediation based on the correct data and prioritisation. That will decrease the stress and burnout for people on the frontline.
Nuanced changes to cybersecurity’s authority and monitoring can make all the difference between a cyber-safe and resilient company or a culture where security pros quit every few months.