New evidence from the Chartered Institute of Information Security suggests more than half of cybersecurity professionals are suffering from the effects of burnout. With cyber attacks increasing rapidly both in number and sophistication, CIISec CEO Amanda Finch gives business leaders some tips on how to support their security teams.
One of the damaging side effects of our technological revolution is the concurrent rise of cybercrime.
As individuals we are all becoming increasingly vulnerable to cyberthreats because technology is now essential to our lives, both at work and at home. For businesses, the spectre looms larger than ever before, as do the consequences of a cyberattack.
The average cost of a breach is $3.9 million for SMEs, and considerably more for publicly traded companies. Attacks have risen by 67% globally since 2014, and the FBI in the United States recently revealed that during COVID-19, it has recorded a 300% increase in cybercrime. To fight the threat, industry continues to spend trillions of dollars every year on cybersecurity.
All of this means that security has emerged as a critical function within organisations. Cybersecurity professionals are under huge pressure to shield their businesses, and to innovate and deliver new solutions for a digital world. But what if they can’t cope? What if a skills shortage and poor management is leading to overworked and under resourced security teams
This is a very material concern, and one highlighted in a new report from the Chartered Institute of Information Security (CIISec). It found that 54% of cybersecurity workers had either left a job due to burnout, or have worked with someone who has.
“It’s quite scary I think, in some ways,” admits Amanda Finch, the CEO of CIISec who has taken some time out to talk over the study’s findings with Digital Bulletin.
Making better use of the talent across a business when it comes to security could convince “overworked” security professionals to stay in their roles. Related to this, the CIISec study also revealed the main factors behind workers leaving, citing a lack of opportunity or progression, unpleasant or bad management, and poor remuneration.
All three can read as an employer not attaching enough value to an employee’s work. According to Finch, this harks back to her point about creating the best culture with the best people in the most relevant roles. She focuses on the perils of poor management
“Bad management is one of the factors that make people leave, and the associated issue with that is that sometimes you get people who are promoted into management positions who are not great managers. We need to realise that managing people is a whole specific skill area on its own, and that technical managers may not have the skills needed,” she says.
Finch has been working in cybersecurity for the best part of three decades – “I started back in the 1990s when it was called ‘computer security’!” – and is a fellow of The British Computer Society. She is therefore well-versed in the challenges faced by cybersecurity teams, and is determined to help solve them.
A significant barrier is the oft-highlighted skills gap, prevalent not just in security but in technology as a whole. In July, the Enterprise Strategy Group (ESG), and the Information Systems Security Association (ISSA) concluded from a 10-year study that “no progress” has been made in addressing the problem of demand and supply of cybersecurity professionals.
While Finch believes cutbacks might actually result in more skilled workers becoming available on the market, she admits this is still a major concern. What role could supportive technologies like artificial intelligence and automation play to redress the balance?
“I think this is a very important part of the dynamic,” she says. “Robots, AI, machine learning – they’re all really, really useful. If you can filter things that you don’t need to worry about, or use them to identify trends, then that is fantastic. But they are not a silver bullet – you need to be mindful of how you use things like machine learning to define patterns. If it’s using a limited dataset, then you can end up with some false positives.
“But having said that, it comes back to the whole thing of thinking differently to harness the resources that are available to you, and these are very useful tools in your armoury, as long as you use them with an open mind and an element of caution.”
Alongside the skills gap is the long-standing issue of diversity in cybersecurity. A deep dive into CIISec’s report reveals that little progress has been made; only 10% of the respondents were women, and those women were being paid significantly less than their male counterparts in similar roles. Thirty-seven percent of women earned less than £50,000 per year, compared to 21% of men,
Finch says that CIISec’s aim for the security industry is for it to eventually reflect the 50-50 gender split in society, although she admits there’s a long way to go. Career paths into cybersecurity have traditionally come from areas like IT, law enforcement and the military, sectors where the workforce is male-dominated.
These issues can be traced right back to education, where Finch also says there are problems to be addressed. Pupil interest in STEM subjects is “stagnating” according to research from Accenture, despite the career prospects on offer – not least in cybersecurity. Finch is optimistic that the tide can turn, however, and that the security industry can build the skilled and content workforce that it needs for the future.
“If you went to a careers event and stood up in front of parents and careers advisors and said ‘we’ve got a career here; it’s pretty well paid, there’s a skills shortage, the work is really interesting, and they’re very unlikely to be unemployed’, you’d probably get a whole load of people interested,” she concludes.
“It’s the whole thing of attracting people to the industry and what can be a fabulous career. There are some technical roles which are brilliant, but it’s also about saying there is a whole raft of roles that rely on psychology, communication, lots of different things, that could appeal to a wide cross-section of people.”
