Burn baby burn, infosec inferno: Just 21% of security pros haven't considered quitting their current job
- Reference: 1594730710
- News link: https://www.theregister.co.uk/2020/07/14/infosec_job_change/
- Source link:
The is the gloomy picture painted by a report from the Chartered Institute of Information Security (CiiS – previously known as IISP), which surveyed 445 security specialists.
"In an era where workplace stress, mental illness, mindfulness and work-life balance are matters of importance and interest, we sought to understand if the security profession was at risk of burning itself out," the report, Security Profession 2019/2020
[1]PDF
, stated.CiiS asked if the sector is trying to "cope with a growing problem by relying on a static and under-resourced workforce? And what does this mean for the people at the coal face?"
Some 18 per cent said they had personally walked out of a role permanently because of burnout; 36 per cent professed to knowing someone that had left due to it; and another 25 per cent claimed they had considered it.
"Sadly, only 21 per cent have had no brushes with this problem at all," the report added.
This was the first time CiiS specifically polled security people on the topic so said it has no previous data to compare with the latest findings.
So why the discontent from those surveyed? The majority (64 per cent) claimed it was being forced to cope with fewer resources; and just over half also said stresses and strains were compounded by routine daily tasks slipping away in the flood of work. A lack of incentives including overtime and time in lieu was another reason cited.
Against a backdrop of workplace stress, "the fact that companies 'muddle through' rather than recognising the increased efforts of staff, seems to worryingly reveal that the overwork problem is not one that is being acknowledged," it added.
The topic of burnout in the field of infosec isn't new so it's curious that the CiiS hasn't probed members on it before. A survey on the topic by [2]Symantec in April last year revealed that 83 per cent of 3,000 pros it spoke to reported feeling burnout and two-thirds were considering whether to leave the industry entirely.
Another reason for some in the security department to feel overwhelmed is the lack of funding: the CiiS report found that just 7 per cent believed their security budget was rising ahead of threat levels, down from 11 per cent last year. Half said it was rising behind threat levels, 24 per cent said it was static and 8 per cent said it was falling.
"The overall theme seems to be one of shrinking security spend," the report added.
That said, 53 per cent reckoned they are getting better at defending their systems and 56 per cent said the industry was better at dealing with failures, breaches and incidents. It's just that the satisfaction of doing so might not be enough for some.
Jake Moore, security specialist at ESET, said a "deadly mix of ingredients" including a rise in ICO fines, incessantly evolving threats and fewer tools was "creating exhaustion" among some security folk.
"Stress is undoubtedly playing a huge part in the burnout of so many infosec professionals," he told The Register . "A constant deluge of the latest attacks cause a huge burden on those in charge of systems which is made worse when the finger pointing starts in trying to ascertain who is at fault.
"If possible within an organisation, it can help to introduce job rotation for employees. Those monitoring cyber threats are likely to be at risk of increased stress levels and it's important to keep this pool of talent in the industry before burnout strikes."
The answer to the problem is simple, if only employers would heed the words of this [3]Reddit commenter : listen to and respect the calls from the security team; pay wages that "match... stress levels"; ask for input on hires rather than hire unsuitable people; and last but not least: "let us do our jobs." ®
Get our [4]Tech Resources
[1] https://www.ciisec.org/CIISEC/News/Over%20Half%20of%20Cyber%20Security%20Professionals%20Affected%20by%20Overwork%20or%20Burnout,%20CIISec%20Survey%20Finds.aspx
[2] https://medium.com/threat-intel/cyber-security-burnout-stress-73653258422c
[3] https://www.reddit.com/r/cybersecurity/comments/dgmky4/were_all_at_risk_when_65_of_stressedout/
[4] https://whitepapers.theregister.com/
Re: Where to get competent staff?
Are you developing your people? It seems like the trend is to hire younger workers and develop them in house rather than look to the market for these skills.
Don't take it as a criticism but it's beginning to feel like even the younger workers aren't interested in the things we need them to be interested in and even getting someone that's promising seems to be getting more difficult.
Re: Where to get competent staff?
Before you can find and eventually become capable of using competent staff, there is one far more important element to consider, competent management.
If your N+1 asks for a certain established level of security but your N+2 is asking for another then the only guaranteed outcome is failure.
I think we all know the scenario whereby the call comes in from the Big Boss about how urgent this latest document is for the company and that he must be given access to X, Y or Z immediately, thereby knocking security back to nothing.
Re: Where to get competent staff?
There is one absolutely critical axiom of security work.
If someone in security is not given sufficient resources to do the work, that means they're merely there to take the blame for when things go wrong. I've seen it enough, and trust me, once you have that reputation you won't be able to get anyone actually competent to come even near you.
As for the rest, if you're looking for a competent manager that can actually keep the people you hire, let me know :).
Re: Where to get competent staff?
Mmccul is not getting competent staff.
Three things:
1. Paying more will get you a greater choice as will recruiting better
2. A technical job should have testing at the application stage to weed out unsuitable applicants before they waste your time and (ideally) more detailed in-person tests later on to weed out the cheats and identify the truly capable.
3. The interview probably fails the best people. The sort of person that has great attention to detail and an enthusiasm for the nitty-gritty of IT systems is probably not going to interview well... but a BS merchant will come across great!
My organisation puts greatest weight on the interview. We're suffering massively because of it.
"The majority (64 per cent) claimed it was being forced to cope with fewer resources"
Don't worry though, as soon as the company gets hacked, security will be "it's #1 priority".
Re: "The majority (64 per cent) claimed it was being forced to cope with fewer resources"
It might become #1 priority, but security won't get any more resources allocated because of that.
They'll hire some PR people instead.
Internal pressure
Having retired from security consultancy I can say that I really found the pressure of project managers and bid managers wanting to reduce the security requirements for the systems hard going at times. Security was basically seen as something to be reduced to save costs and win the bid, even when that would mean breaching HMG requirements as stated by the then GCHQ/CESG. Just getting a first penetration test of a system that had been running online for over 10 years was a struggle, as it was not 'in the budget'.
Even when I registered a formal complaint about undue pressure, the salesman was not criticised, and eventually promoted. The fact is that if companies do not understand how to use security features as a sales promoter and benefit, they will put pressure on the security specialist to reduce security to below the absolute minimum, in the hope that a disaster will never happen, or at least not while they are still around, and they can always blame the security specialist if it does. It is rather like Idi Amin blaming his advisors for not persuading him of the dire economic consequences of ejecting all those Ugandan Asians who were an integral part of the national economy (they warned him but did not persuade him, so obviously it was their fault).
The reason I didn't jump ship was that I didn't think I'd get any better treatment elsewhere.
Anonymous coward to avoid the guilty being identified and me being sued.
Where to get competent staff?
Since I'm interviewing candidates very regularly for a variety of different infosec roles as a part of my job, I've found that one reason for burnout is the difficulty in finding competent staff. My employer has no incentive to fail to find good candidates, but so few of the candidates sent my way am I able to give a thumbs up for more than a tier-1 secops team staff -- the kind that does nothing but pre-written instructions developed by someone else.
I've seen roles go unfilled for a year or longer just trying to find a competent low to mid level security analyst. Add in any middle to high level skill and expect more of a senior technical security role, and the time can increase even more.
Easier to burn out when people leave and are not replaced, not because management won't let them be replaced, but because no one can find anyone they feel has the skills to be worth the cost of the chair they sit in.