Cybersecurity pros feel overworked, underpaid, and often ignored. Organizations must address these issues to maintain strong security, comply with cybersecurity mandates, and protect all our data
October is National Cybersecurity Awareness Month (NCSAM), a 20-year US tradition dating back to 2004. NCSAM is associated with awareness of threats and trends, highlighted for training of executives and the population at large. In the spirit of cybersecurity awareness, however, I thought I would write about the status of cybersecurity professionals to make CISOs, HR professionals, and business managers more cognizant of their current situation.
According to new research from the Enterprise Strategy Group and the Information Systems Security Association (ISSA):
- Cybersecurity professionals’ job satisfaction varies. While 44% of cybersecurity pros are very satisfied at their current job, 36% are somewhat satisfied, 7% are neutral, and 13% are either somewhat or very dissatisfied with their jobs. When asked to identify the factors that lead to job satisfaction, 43% said competitive/industry leading compensation, 41% said business managers’ commitment to strong cybersecurity, and 38% said the ability to work with a highly skilled and talented cybersecurity staff. So, money matters but so does cybersecurity culture and skills advancement.
- Many cybersecurity pros believe they are underpaid. Speaking of compensation, 22% of cybersecurity professionals believe their compensation is higher than others with similar jobs, 38% claim their compensation is about the same as others with similar jobs, and 40% say that their compensation is less than others with similar jobs. Given the correlation between job satisfaction and compensation, it’s likely that those who feel underpaid represent an attrition risk to their organizations.
- A cybersecurity job is stressful some or most of the time. More than half (55%) of cybersecurity professionals believe their job is stressful all (100%), most (more than 75%), or much (51% to 74%) of the time. When asked to identify the most stressful aspects of their jobs, cybersecurity pros pointed to things like an overwhelming workload, working with disinterested business managers, finding out about projects with no security oversight, and keeping up with the security needs of new initiatives. Overworked, ignored, and underpaid is a recipe for stressed out cybersecurity professionals, not organizational success.
- Half of cybersecurity professionals are considering job changes. When asked about the likelihood of leaving their current job, 21% said very likely, 7% said likely, and 21% said somewhat likely. While this comes as no surprise give the data presented above, it should still set off alarm bells in the CISO’s office and be grave concern to chief risk officers, chief compliance officers, and other C-level executives.
- Many cybersecurity pros contemplate an exit strategy from the profession. Startlingly, 30% of cybersecurity professionals surveyed have considered leaving the cybersecurity profession altogether over the last 12 to 18 months. The top reasons for this thought included the high stress level of the profession, frustration with organizations that don’t take cybersecurity seriously, retirement, and the fact that a cybersecurity career requires too many hours of work.
Cybersecurity skills shortage persists
It’s safe to assume that much of the cybersecurity professional negativity is related to the global cybersecurity skills shortage. While I’m skeptical about the raw job numbers often associated with this topic, the ESG/ISSA research does indicate that 71% of cybersecurity professionals say their organizations has been impacted by the cybersecurity skills shortage, creating a situation with increasing workloads, open jobs, and high burnout/attrition rates. Clearly, there’s a correlation. CISOs can’t hire their way out of this situation so they’ll have to focus on things like better analytics, process automation, and professional/managed security services to augment internal staffing and skills.
Organizations face increasing cybersecurity requirements from SEC disclosure rules to achieving Cybersecurity Maturity Model Certification, to complying with changes within the EU Cybersecurity Act, to working toward the National Cybersecurity Strategy. Oh, and let’s not forget the hurdles to jump over for purchasing cyber insurance at a reasonable premium. Getting there will require an efficient, productive, and, dare I say, happy cybersecurity workforce. During national cybersecurity awareness month, it’s worth assessing whether the infosec staff is satisfied with their jobs or stressed out and ready to move on. All of us depend upon prudent management here.