What you can do about a stressed and stretched cybersecurity workforce

More than half (54 per cent) of IT security professionals had either left a job due to overwork or burnout, or worked with someone who did, according to the latest Chartered Institute of Information Security (CIISec)’s The Security Profession 2019-2020 report. 

The survey highlights the need for management to tackle this growing crisis facing the industry.

The report pointed to potential causes and consequences. It said that security budgets are not keeping pace with the rising threat level – and when security teams are stretched during holidays or busy periods, 64 per cent said their businesses simply ‘hope to cope’ with fewer resources when necessary, while just over half would let routine or non-critical tasks slip.

Pandemic problems

Amanda Finch, CEO of CIISec said that security teams are only likely to come under more pressure in 2020, as the COVID-19 outbreak and its aftermath have profound effects on businesses’ budgets and ability to operate,

“Unless the industry can learn how to do more with less while also addressing issues of diversity and burnout, risks will rise and organisations will suffer,” she said. 

“To avoid this, we need the right people with the right skills, giving them the help they need to reach their full potential. This doesn’t only apply to technical skills, but to the people skills that will be essential to giving organisations a security-focused culture that can cope with the growing pressure ahead.”

Irfahn Khimji, country manager, Canada at Tripwire, told SC Media UK that the current COVID-19 crisis had increased stress and burnout as new projects focusing on secure remote work became a priority.

“The expectation was that the existing critical projects would not drop. Teams that were already stretched thin ended up getting even further stretched with the additional workload,” he said.

Stretch – then limits

Khimji added that CISOs can focus on helping the mental health of their teams by encouraging a limit on working hours and encouraging their teams to take time off.  

“When working from home, the line between work and home gets blurred resulting in a much longer work day. Encouraging the team to disconnect after a certain amount of time allows rest, spend dedicated time with their families and refresh for the next work day,” he said.

Ekaterina Khrustaleva, chief operating officer at ImmuniWeb, told SC Media that most of the burnout incidents stems from poor coordination and flawed planning. 

“If you thoroughly design your task load and establish ambitious but feasible KPIs with attractive incentives for the best performers, you will likely reduce conflicts, stress and toxic atmosphere to zero. You’ll apportion the workload in a transparent, efficient and effective manner enabling your team to unlock hidden capabilities,” she said.

Diverse thinking – fresher minds

The report also showed the lack of diversity that still plagues the industry. Of all the respondents, only 10 per cent were women. While this has doubled since 2015, the report suggested there is a long way to go.

Although men and women were equally represented across age and level of education received, women were paid significantly less on average or were in lower paying roles with 37 per cent of women earning less than £50,000 per year, compared with 21 per cent of men. The report also found that 15 per cent of women earned more than £75,000 per year, compared with 39 per cent of men.

“Addressing a lack of diversity in the industry isn’t only a matter of fairness,” said Finch. “It also unlocks the skills and talents of a whole range of people who could collectively rejuvenate the industry and help reduce the huge pressure many security teams are under.”

She added that there is a need to attract a more diverse range of people to a career in security. “Understanding why people join – and why they leave – is the beginning of building a resilient workforce that can face the challenges ahead.”

Mike O’Malley, VP of carrier services at Radware, said that diversity in the workplace should start at the top by promoting a workplace fabric that nurtures diversity. 

“One of the ways is to stop following commonly established social stereotypes. As organisations continue to grow, educating employees on the importance of diversity by providing real life scenarios can help demonstrate the positive impact it can bring to the business and individuals,” he said.

“Promoting flexibility in choosing the right careers and providing a supportive environment for upskilling and progression can also go a long way in setting up organisational success. It all leads to a healthy workplace.”

Four-point guide to reducing stress

Quick wins

1. Enforce time off for the workforce with strict working hours

2. Establish ambitious but feasible KPIs to reduce conflict and increase transparency

Strategic plays

3. Promote diversity to rejuvenate and alleviate by understanding why people join and leave the sector

4. Create flexible career paths, upskilling opportunities and clear progression routes