It is common knowledge that there are too few information security professionals to meet the demands of business. Estimates are that for every qualified information security practitioner on the market in 2020 there will be at least three vacant positions for them to choose from.
Information security as a choice of specialisation is now a hot topic because it pays really well — quite possibly the highest starting and career salaries in the IT professions. The lucrative salary, however, can come at quite a personal cost.
That earning opportunity is attracting a lot of otherwise normally IT-capable people into considering security as a specialised discipline. Companies are paying more to attract and retain these skills. In spite of these lucrative opportunities, why is it that so many experienced security professionals are leaving their current employers?
IT has always been a high-stress profession, but information and cybersecurity specialists and executives are currently seen as the most likely subjects to experience burnout. Although burnout is common in many high-tech, high-pressure industries, the pressures that security professionals are exposed to can take this to a new and disturbing level.
One reason for this is too few security specialists, as everyone who is able to deliver a competent cybersecurity function will be overworked — nothing new there in the IT space. But, apart from the brutal and merciless 24×7 “fix it now” ethos common to IT, cybersecurity practitioners have another equally challenging problem to contend with.
Cybersecurity in principle is about detecting and defending your company from active attacks by cybercriminals. It is an unending, intense and technically demanding process. This continual and aggressive attack, however, triggers an equally intense response in the best security practitioners; where their understanding and dedication can lead them to take a strong personal and emotional position in defence of their companies.
Often overworked, underappreciated, frequently blamed for that one failure out of a hundred unacknowledged successes, rarely appreciated by the very business that they protect; these emotionally engaged front-line cyber warriors, whether at a network technical level, security operations executive, or at CISO level, can easily fall prey to a level of PTSD that can lead to serious burnout.
The very dedication that can make these professionals such an asset can become their Achilles’ heel, the best of the best do take cybersecurity extremely personally. This professionalism is their secret power. But no one has an infinite reserve of power, and even as highly paid as these professionals are, their employers frequently fail to invest in their emotional and physical well-being.
Cybersecurity is an adversarial environment. It requires suspicion, intuition, intelligence, research and dedication to function well within this space. Due to its confrontational ethos, it also requires stress management techniques that rarely exist outside of the military, and almost never in a corporate environment.
The first signs of trouble within your security team can appear in the least expected places. Any cybersecurity manager will have seen this happen, but may not have fully understood the causes. If your job requires that you suspect everything, trust no one until verified, and assume imminent attack at every corner, then as your stress increases your ability to leave this suspicion at the office begins to fail. The level of security intensity required at work as a cybersecurity professional is completely toxic to personal and family relationships. The first signs of trouble are broken relationships and divorces.
Some 90% of security professionals at a CISO level report that they suffer moderate to high levels of stress; 60% report that they have trouble switching off and cannot easily disconnect their business stress from their personal lives.
Given the investment, and dependence, that many organisations have on a functioning and reliable cybersecurity team it is surprising that so few have any formal stress or counselling programmes for their “most valuable players”. Many companies would state that they have available counselling, but then confirm that it is voluntary.
Under voluntary participation conditions, even if top-level counselling were available, there is stigma attached to it and most would decline – even the wise few that recognise the symptoms of PTSD.
If these cyber warriors – those that fight for you in cyberspace – were employed in any other adversarial profession (for example in the police, army, or even in a football team) they would have mandatory counselling sessions. No choice means no stigma.
Might it be time to consider this in business? If your business really needs the skill and diligence of these highly-expensive-to-recruit and highly-expensive-to-retain professionals, then should it not also ensure that it provides them with the counselling, support and stress protection commensurate with that value? This is not an executive level problem; if you want to have skilled cybersecurity executives it makes sense to start this level of support with your most junior recruits.
The secondary cost of the loss of these professionals is perhaps even more disturbing: they do not just withdraw from security. Their experience of burnout is more brutal than most, and the need to recover themselves means that they often change career and are not willing to share or teach their hard-earned cybersecurity experience to the already under-supplied next generation.
- Steve Jump is outgoing head of corporate information security governance at Telkom