Survey identifies root causes of cybersecurity staff turnover
Most cybersecurity professionals enter the field because the work is challenging, and the rewards are comparatively high. However, the stress that is an inherent part of the job does inevitably take its toll.
A survey of 267 cybersecurity professionals conducted by Enterprise Strategy Group (ESG) on behalf of the non-profit Information Systems Security Association (ISSA) finds the biggest contributor to those rising levels of stress is the chronic cybersecurity skills shortage. One-third of survey respondents believe that the global cybersecurity skills shortage has had a significant impact on their organization, while another 41 percent said the skills shortage has impacted their organizations somewhat.
Two-thirds of respondents working in organizations that have been impacted by the skills shortage say that shortage has resulted in increased workload on the existing staff, and nearly half (47%) said there isn’t enough time for them fully learn or utilize some of the security technologies they have in place to their full potential.
The most acute skills shortages identified are in the areas of cloud computing security (33%), application security (32%), and security analysis and investigations (30%). A full 41 percent admit their organization has had to recruit and train junior personnel because they could not find more experienced personnel.
Other major sources of stress cited by survey include keeping up with the security needs of new IT initiatives (40%), finding out about IT initiatives/projects that were started by other teams within their organizations without proper security oversight (39%), trying to get end-users to better understand cyber-risks and change their behavior (38%), and trying to get the business to better understand cyber-risks (37%).
A majority (63%) of survey respondents also don’t think that their employer provides the cybersecurity team with the right level of training. Two-thirds (66%), however, also note the demand of their jobs doesn’t leave them any time to focus on skills development anyway.
Not surprisingly, 59 percent of survey respondents say they believe that cyber-adversaries have a big advantage over cyberdefenders while 34% say that cyber-adversaries have a marginal advantage over cyber-defenders. A total of 39 percent of their organizations said their organizations are either extremely vulnerable to an attack, while 52 percent said they are somewhat vulnerable. Nearly half of respondents (48%) admitted their organization was involved in at least one security incident over the past two years. Another 40 percent said they either didn’t know or preferred not to say. When asked to identify the root causes of these security incidents, 34 percent cited a lack of end-user training while 24 percent confessed the cybersecurity team simply can’t keep up with a growing workload.
When asked what organizations should do to improve their current situation, respondents cited adding cybersecurity goals and metrics to IT and business managers (42%), increasing training for the cybersecurity team (42%), increasing the cybersecurity budget (41%, and increasing training for non-technical employees (40%).'If the organization keeps losing, cybersecurity professionals eventually will start to look for a better team to play on.' Click To Tweet
Put it altogether and it becomes obvious cybersecurity professionals are tempted by greener pastures. Only 39 percent of respondents said they were very satisfied with their current job, compared to 47 percent that are only somewhat satisfied. A full 44 percent of survey respondents report they are solicited to change jobs by recruiters at least once a week. Over three quarters (76%) are solicited to change jobs by recruiters at least once a month.
Most cybersecurity professionals are tempted by those entreaties simply because the daily grind they find themselves in every day. No matter how philosophical any cybersecurity professional may be, most of them still take any breach personal. If the organization keeps losing, cybersecurity professionals eventually will start to look for a better team to play on.
Automation combined with artificial intelligence (AI) may one day collectively lower the stress level of cybersecurity professionals. Right now, however, organizations that are finding it hard to attract and retain cybersecurity professionals would be well-advised to consider to what degree they might be their own worst enemy.'The most acute skills shortages identified are in the areas of cloud computing security (33%), application security (32%), and security analysis and investigations (30%).' Click To Tweet