PUTTING SECURITY INTO OUR DNA
Author // Ben Mouncer
New evidence from the Chartered Institute of Information Security suggests more than half of cybersecurity professionals are suffering from the effects of burnout. With cyber attacks increasing rapidly both in number and sophistication, CIISec CEO Amanda Finch gives business leaders some tips on how to support their security teams
One of the damaging side effects of our technological revolution is the concurrent rise of cybercrime. As individuals we are all becoming increasingly vulnerable to cyberthreats because technology is now essential to our lives, both at work and at home. For businesses, the spectre looms larger than ever before, as do the consequences of a cyberattack. The average cost of a breach is $3.9 million for SMEs, and considerably more for publicly traded companies. Attacks have risen by 67% globally since 2014, and the FBI in the United States recently revealed that during COVID-19, it has recorded a 300% increase in cybercrime. To fight the threat, industry continues to spend trillions of dollars every year on cybersecurity. All of this means that security has emerged as a critical function within organisations. Cybersecurity professionals are under huge pressure to shield their businesses, and to innovate and deliver new solutions for a digital world. But what if they can’t cope? What if a skills shortage and poor management is leading to overworked and under resourced security teams? This is a very material concern, and one highlighted in a new report from the Chartered Institute of Information Security (CIISec). It found that 54% of cybersecurity workers had either left a job due to burnout, or have worked with someone who has. “It’s quite scary I think, in some ways,” admits Amanda Finch, the CEO of CIISec who has taken some time out to talk over the study’s findings with Digital Bulletin.
Amanda Finch, CEO, CIISec
CIISec’s “State of the Security Profession” survey has been running for five years, and aims to uncover the main trends in the security space and shine a light on concerns the industry may have, such as overworking. CIISec itself accredits cybersecurity professionals in the UK and develops ethical standards for the sector. It was awarded Royal Charter status by Her Majesty The Queen in December 2018. Fundamental to CIISec’s work is a people-centric view of cybersecurity, which draws more attention to the headline findings of its 2019/20 report. Not only did the majority of respondents confirm they had been affected by burnout, but 64% said their businesses simply “hope to cope” with fewer resources when necessary. Eighty-two percent said security budgets were not keeping pace with rising threat levels. Finch believes the industry currently finds itself in a dangerous cycle, and one which has been exacerbated by the coronavirus pandemic. “People are getting burned out, which means you get shortages within an organisation, which means people are then working harder,” she says. “If you look at the current environment, where people are working remotely or you’re trying to work around holidays or peaks or things like that, then you’re getting stretched even more.
“And I think security people don’t like to fail, so they’ll keep going the extra mile to try and fix something - we don’t like walking away from problems. We try to do our best to fix things.” Budget cuts in the wake of COVID-19 won’t have helped either, with maybe the worse still to come. Even though threats have increased exponentially during the virus outbreak, security teams aren’t protected from fiscal realities. “Security will have to tighten its belt just like everyone else,” Paul McKay, a senior analyst at Forrester, recently told The Wall Street Journal. Finch is of the same opinion, admitting that businesses “need to try and do more with less” - but she is adamant that better is still possible, in spite of cuts. For her, it comes down to creating a meaningful security culture within an organisation. “I have this thing about putting security into people’s DNA, so they are almost innately aware of issues that are out there,” she says. “It’s getting people to understand the motives attackers may have, and the range of attacks. It’s a continual thing to make sure that people are actually thinking about security in their own minds.” Cultural change should begin with the makeup of the security teams themselves. Historically, Finch says, teams haven’t been diverse enough in terms of skills, focusing too heavily on technical expertise and not enough on developing strength in areas like communication and project management. She believes burnout could be reduced if a team’s technical “superstars” are freed up by supporting staff who could take on the more trainable security disciplines. “The thing that you need to have is the right people with the right skills,” Finch explains. “You shouldn’t wear out your A-team by putting them in roles that could be carried out by others. Security is often seen as a very technical discipline, but the human side is not. “There’s a lot of supporting skills you can bring in; potentially you can bring in people who are not technical but understand the business, who can help with awareness campaigns, or policy, doing some of the aspects that you can train people fairly rapidly to do. People have innate skills that they can bring into security. Then it’s a question of mapping knowledge onto them so they can apply it and help protect the organisation.”
Making better use of the talent across a business when it comes to security could convince “overworked” security professionals to stay in their roles. Related to this, the CIISec study also revealed the main factors behind workers leaving, citing a lack of opportunity or progression, unpleasant or bad management, and poor remuneration. All three can read as an employer not attaching enough value to an employee’s work. According to Finch, this harks back to her point about creating the best culture with the best people in the most relevant roles. She focuses on the perils of poor management. “Bad management is one of the factors that make people leave, and the associated issue with that is that sometimes you get people who are promoted into management positions who are not great managers. We need to realise that managing people is a whole specific skill area on its own, and that technical managers may not have the skills needed,” she says. Finch has been working in cybersecurity for the best part of three decades - “I started back in the 1990s when it was called ‘computer security’!” - and is a fellow of The British Computer Society. She is therefore well-versed in the challenges faced by cybersecurity teams, and is determined to help solve them. A significant barrier is the oft-highlighted skills gap, prevalent not just in security but in technology as a whole. In July, the Enterprise Strategy Group (ESG), and the Information Systems Security Association (ISSA) concluded from a 10-year study that “no progress” has been made in addressing the problem of demand and supply of cybersecurity professionals. While Finch believes cutbacks might actually result in more skilled workers becoming available on the market, she admits this is still a major concern. What role could supportive technologies like artificial intelligence and automation play to redress the balance? “I think this is a very important part of the dynamic,” she says. “Robots, AI, machine learning - they’re all really, really useful. If you can filter things that you don’t need to worry about, or use them to identify trends, then that is fantastic. But they are not a silver bullet - you need to be mindful of how you use things like machine learning to define patterns. If it’s using a limited dataset, then you can end up with some false positives. “But having said that, it comes back to the whole thing of thinking differently to harness the resources that are available to you, and these are very useful tools in your armoury, as long as you use them with an open mind and an element of caution.”
“I have this thing about putting security into people’s DNA, so they are almost innately aware of issues that are out there”
Alongside the skills gap is the long-standing issue of diversity in cybersecurity. A deep dive into CIISec’s report reveals that little progress has been made; only 10% of the respondents were women, and those women were being paid significantly less than their male counterparts in similar roles. Thirty-seven percent of women earned less than £50,000 per year, compared to 21% of men. Finch says that CIISec’s aim for the security industry is for it to eventually reflect the 50-50 gender split in society, although she admits there’s a long way to go. Career paths into cybersecurity have traditionally come from areas like IT, law enforcement and the military, sectors where the workforce is male-dominated. These issues can be traced right back to education, where Finch also says there are problems to be addressed. Pupil interest in STEM subjects is “stagnating” according to research from Accenture, despite the career prospects on offer - not least in cybersecurity. Finch is optimistic that the tide can turn, however, and that the security industry can build the skilled and content workforce that it needs for the future. “If you went to a careers event and stood up in front of parents and careers advisors and said ‘we’ve got a career here; it’s pretty well paid, there’s a skills shortage, the work is really interesting, and they’re very unlikely to be unemployed’, you’d probably get a whole load of people interested,” she concludes. “It’s the whole thing of attracting people to the industry and what can be a fabulous career. There are some technical roles which are brilliant, but it’s also about saying there is a whole raft of roles that rely on psychology, communication, lots of different things, that could appeal to a wide cross-section of people.”