Overworked and burnt out? Cybersecurity pros under more pressure

‘Resources are scarce, budgets are tight, regulations are increasing, and the threat landscape is getting ever more complex.’
14 July 2020

Security professionals are hanging on by a thread. Source: Shutterstock

  • CIISec Survey shines a light on issues of workload, stress and diversity amongst IT security professionals
  • 82% of survey respondents say security budgets are not keeping pace with rising threat levels in the security space

The Chartered Institute of Information Security (CIISec) are an organizational focal point for the setting of standards across the Information Security profession. Each year, they conduct a “State of the Security Profession” survey, seeking insight into the mindset and trends within the sector.

In this report – the fifth annual turnout – its short, thematically structured questions prompted candid takes on poor resources, tight budgets, high regulatory pressures and increasing threats.

2020’s iteration of the survey had more respondents than ever before, earmarking cybersecurity risk management as an increasingly vital enterprise, and understandably so.

With regulatory fines on the rise (in value and notoriety), consumers are keeping a keen eye on the privacy of their data, and are increasingly intolerant of mishandling or carelessness from the custodian; this gives rise to a number of the pressures outlined in the report.

Shrinking security spend

The CIISec report reveals that overwork and burnout are very real issues for the IT security industry in 2020, with 54% of respondents either leaving their role due to overwork or burnout, or knowing someone who has.

One reason for this is a lack of funding; 82% of respondents said security budgets were not keeping pace with rising threat levels.

With security spend either shrinking or struggling to stay afloat amidst a sea of risk, security teams are subsequently either smaller or stretched too thin. The result is a stark rise in stress levels, which in turn prove risky to organisations. Amanda Finch, CEO of CIISec, points to the increased pressure that will inevitably result from Covid-19, too, complete with its “profound effects on businesses’ budgets and ability to operate”.

To mitigate, “we need the right people with the right skills, giving them the help they need to reach their full potential”.

To the question “how do companies deal with busy periods?”, the following responses emerged:

  • Hope to cope with fewer resources – 64%
  • Let routine or non-critical tasks slip – 51%
  • Incentivise existing staff to cover tasks (e.g. through overtime) – 9%
  • Increase resources (i.e. hiring additional short-term staff) – 4%

The outlook for security budgets isn’t all that positive. Finch highlights the importance of “the industry learning how to do more with less.” Her claims – alongside the wider context of report – give extra weight to the findings of the TechHQ team, which recently documented the need for ‘more cash and more people’ in cybersecurty.

Issues of irony and diversity

The problem of under-staffing or under-skilling in information security is also one wrought with irony. CIISec see that understanding incentives and deterrents is key to the future of the industry, and ensuring it is equipped with an apt workforce. The report found that the top three reasons to take and leave a job as a cybersecurity professional were:

Top 3 reasons people take a job in IT security Top 3 reasons people leave a job in IT security
·       Remuneration ·       Poor remuneration
·       Progression opportunities ·       A lack of opportunity or progression
·       The variety of work ·       Poor remuneration

Diversity (or a marked lack thereof) is another issue. Only 10% of respondents were women, and the figures on pay present a similarly problematic picture. Finch says that “addressing a lack of diversity in the industry […] unlocks the skills and talents of a whole range of people who could collectively rejuvenate the industry and help reduce the huge pressure many security teams are under”.

The report paints a troubled outlook for the information security industry, but there are glimpses of positivity: 53% of respondents (a rise of 6% on 2019) believe the security industry is getting better at defending systems and data against attacks.

That said, a lower number than last year looked fondly on the industry’s capability of dealing with failures, breaches and incidents after the fact. This goes some way to explaining why, when asked what the most significant security technologies for 2020 would be, 31% of respondents turned to the great potential impact of AI and machine learning