Nearly half of cyber security leaders plan to change jobs in the next two years, and half of those plan to leave the security sector for good, citing “multiple work-related stressors”, according to statistics gathered by Gartner analysts.
It said that organisations that do not view security risk management as critical to their success, that maintain compliance-centric security programmes, have low levels of boardroom support, and subpar industry-maturity would be likely to experience higher attrition rates as security specialists seek roles where they feel valued, and can have a real impact.
The research house warned that given these dynamics, as well as the massive market opportunities for security professionals, talent churn will come to pose a significant threat to security teams in the short-term future.
“Cyber security professionals are facing unsustainable levels of stress,” said Deepti Gopal, director analyst at Gartner. “CISOs are on the defence, with the only possible outcomes that they don’t get hacked or they do. The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.
“Burnout and voluntary attrition are outcomes of poor organisational culture. While eliminating stress is an unrealistic goal, people can manage incredibly challenging and stressful jobs in cultures where they’re supported,” added Gopal.
While those in charge of security are struggling with stress, burnout and bad security management, the people they are tasked with keeping safe are going unprotected, the report said, with the result that lack of talent or human failure is expected to be a contributing factor in over half of “significant” cyber security incidents by the midpoint of the decade.
This trend can be clearly seen in the number of social engineering attacks against ordinary employees, whom many threat actors now see as the most vulnerable point of exploitation in the organisation.
A Gartner study produced last summer found that 69% of employees had bypassed their organisation’s cyber security guidance in some way during the preceding 12 month period, and 74% would be willing to bypass cyber security guidance if they believed there was a good chance that it would help either them or their team to achieve a business objective.
“Friction that slows down employees and leads to insecure behaviour is a significant driver of insider risk,” said Paul Furtado, vice president analyst at Gartner.
Gartner’s latest analysis predicts that half of medium-to-large businesses will adopt formal insider risk management programmes within the next 22 months, up from a paltry 10% at the time of writing.
Fit-for-purpose, focused insider risk management programmes will proactively and predictively identify risky behaviour that may lead to the exfiltration of corporate assets or other damaging actions, and critically, should provide corrective guidance rather than punishment, said Furtado.
He added: “CISOs must increasingly consider insider risk when developing a cyber security programme,” said Furtado. “Traditional cyber security tools have limited visibility into threats that come from within.”
Amanda Finch, CEO of the Chartered Institute of Information Security (CIISEC), commented: “It’s not surprising that security teams are burnt out – especially given the increased pressures brought on by the impending economic crisis. CIISec’s own research highlighted the risk of burn-out in the industry: 77% of cyber security professionals are working up to 50 hours a week, while 12% are working 51 to 70 hours. What’s more, a third of professionals revealed they are kept awake by job stress. This is simply unsustainable, and unless the industry can learn how to do more with less, organisations will suffer.
“Cyber attacks will only increase as stretched security teams find it harder to handle the day-to-day side of the job, creating a vicious circle of increasing stress and potentially leaving their company exposed. At the same time, the industry needs to not only attract more diverse applicants, but also ensure those already in place have long and fulfilling careers.
“Organisations need to give clear career paths, showing precisely what skills professionals need to develop and progress. Access to the right training is essential so employees have the knowledge and experience they need to keep up with evolving threats. And organisations need to identify and address the signs of burn-out early on before it affects employees and their colleagues. Doing this will help security professionals reach their full potential and progress their careers, while also minimising day-to-day stress and preventing escalation,” she said.