Perhaps no other industry can lay claim to such a spate of challenges in a short span as the cybersecurity industry. Still very much in its infancy by most standards – it would not be out of place to put the age of the industry at just a few decades – cybersecurity has seen rapid growth in many sectors, but has also experienced an equally rapid and devastating set of challenges in the same period. After data breaches, identity thefts, social engineering, ransomware, the downside of Artificial Intelligence, and insider threats, to name just a few challenges, you’d think the industry has seen them all.
WRONG.
For the last 2 years, industry analysts have been predicting the advent of a far greater crisis – involving the very cybersecurity professionals who are responsible for the implementation of its tenets and practices. With the severe paucity of talent in a variety of cybersecurity fields that the industry is experiencing, the widespread burnout, fatigue, and stress (1) of professionals and the Great CISO Resign phenomenon, that prediction has become a reality.
In a nutshell
Let’s take a look at some of the problems that have been plaguing the cybersecurity industry for a while now. The highly technical nature of the industry has brought with it a fair share of people-related challenges. The situation has been exacerbated to some extent by other circumstances like the recent pandemic, inflationary trends, financial crises, and the unprecedented surge in cybercrime.
Broadly speaking, however, the people-centered problems facing the industry could be summarized as:
- Acute shortage of professionals available to fill the demand in the industry, due to:
- Complexity of roles involving a variety of skills such as network traffic analysis, penetration testing, security management, risk assessment, cloud computing, coding, security and data controls, software development, and behavioral analytics
- Shrunken talent pool caused by larger organizations’ recruiting patterns which leave smaller organizations with little or no talent to choose from
- Lack of diversity due to paucity of women professionals and minorities in the talent pool
- Growing tendency of young/fresh talent not to opt for IT and related sectors/fields
- Unprecedented surge in cyberattacks in recent times
- Increasing skills gap as a consequence of:
- Conventional academic curricula and training are inadequate to match the requirements of a rapidly evolving technological landscape
- Relative lack of formal education in the current workforce with a considerable number of both men and women being self-taught
- Stress, burnout, and fatigue are on the rise in cybersecurity professionals resulting in attrition and lowered levels of performance due to errors and disinterest
- The Great CISO Resign (1) is characterized by an increasing number of CISOs vacating their positions or leaving the industry due to stress, lack of alignment with their C-suite colleagues or boards, and absence of a reasonable work-life balance
The figures tell the tale
The numbers for shortages tell the true story. The 2022 (ISC)2 Cybersecurity Workforce Study (3) puts the number of unfilled cybersecurity vacancies in organizations at a staggering 3.4 million globally, and in the US at almost 700,000. The World Economic Forum points out that no industry seems to be unaffected by the shortage. Only 14% of leaders in the banking and capital market reported being able to meet their cybersecurity talent requirement. For the public sector, the response stood at 15%, the energy and utility sector at 20%, and the insurance and asset management at a disconcerting 25%. Worse still is the response as to how the industry is handling the crisis. TechTarget (4) says 95% of respondents believe the skills gap has not reduced over the past few years, and nearly 44% believe it has deteriorated.
The statistics for CISO resignations also make alarming reading. SDX Central (6) cites a mid-2023 study by anti-data exfiltration and ransomware prevention company BlackFog which claims that 32% of CISOs in the UK and US have considered leaving their jobs, with many planning to do so in just six months. Cyber Center.org (5) cites a study by the IANS Research and Artico Search which put the number of CISOs contemplating a job change at 44% for reasons ranging from work-related stressors to an absence of work-life balance. For a pivotal role involving the ‘leader of the front line of defense against threat actors,” as the Chairman of the National Cybersecurity Center’s Cyber Committee terms the CISO, that is an alarming figure, by any account.
The impact on organizations
Workforce attrition, recruitment, upskilling, training, and succession planning have always been watchwords for human resources. Hence, staff shortages and resignations in the cybersecurity field – deemed by a Future of Jobs 2023 report, as amongst the top strategically emphasized skills for the workforce – must ring alarm bells in learning organizations. The impact that this can have can be catastrophic. Take the case of losses (1) due to data breaches alone, which have been attributed to overburdened, overworked cybersecurity staff. That aside, organizations could face the following consequences from the current crisis:
- Increased responsibilities being thrust on the existing workforce, leading in turn to further burnout, stress, and reduced productivity/effectiveness
- Tendency of over-burdened workforce to desist from upskilling and updating their professional qualifications
- Lowered levels of innovation, a prerequisite for the industry
- Higher recruitment costs as shrunken talent pools available to smaller organizations cause increased demand to drive salaries north
- Tendency to compromise on processes, leading to compliance issues with certification agencies
- Loss of investor confidence, goodwill, and market reputation
- Conflicting vision, lowered employee morale, and leadership crises as leaders like the CISO and senior executives leave the organization
Addressing the crises
A crucial part of the success of an organization’s operations, cybersecurity’s staffing crises will need to be addressed in a concerted manner. It would be unrealistic to believe an overnight solution can be achieved, no matter the size of the organization. Solutions will take time and sustained investment. Organizations may benefit from addressing the situation in the following manner:
Shortage of professionals
- Selectively partner with agencies, industry professionals and third party providers for outsourcing services that would be managed in-house
- Systematically look to absorb talent from hitherto unrepresented communities/ethnicities including women specialists to bring diversity to cybersecurity teams
- Carefully review, rewrite and restructure cybersecurity requirement campaigns to widen recruitment searches
Bridging the skills gap
- Conceptualize an organic program to promote/encourage interest in cybersecurity amongst employees from other disciplines
- Invest in education and training programs for existing cybersecurity teams and potential cybersecurity personnel from other disciplines
- Partner with nearby academic institutions, universities, and colleges for development courses for the existing workforce
- Offer internships with the cybersecurity team, such that interns may subsequently join the organization
- Systematically train mainstream IT personnel to become cybersecurity specialists, especially as they are familiar with the organization’s security infrastructure
Stemming stress, burnout, and fatigue
- Review working hours, shifts, and workloads of existing teams
- Invest in programs/sessions for the mental and physical health of employees
- Monitor employees for signs of stress and burnout, including analysis of cybersecurity incidents that are associated with burnout/fatigue
- Enforce a healthy work-life balance
- Invest in automation, analytics, AI, and other technologies that will support cybersecurity team efforts
- Outsource routine and mundane repetitive tasks to ease the burden on cybersecurity teams
Arresting the CISO exodus
- Evaluate stressors and work-life balance of the CISO
- Initiate discussions with the CISO about roles, responsibilities, and reporting. Escalate learnings to the C-suite
- Review compensation packages and incentives
Final words
For an industry that relies so much on technology and people, it would be fair to state that the present staff and skills shortage that the cybersecurity industry is presently experiencing is alarming.
In 2022, Forbes (2) listed as many as four human resource issues – CISO resignations, burnout, the inability to source talent and the failure of professionals in the industry to innovate – among the top ten risks/threats that organizations would face in coming years.
Perhaps how grim the situation is can be gauged from the Gartner prediction (3) that ‘by 2025, the lack of cybersecurity professionals or a lack of talent will be responsible for more than 50% of significant cybersecurity incidents.’
For an industry which is all about security, even given its history of rebounding from its crises, that prediction alone must resonate seriously with its leaders and industry captains.
Discover the unstoppable power of DEFEND and PlurilockAI, the ultimate AI-generated tools that crush security threats.
Get in touch with sales@aurorait.com or call (888) 282-0696 to experience the unmatched protection that Aurora, a proud member of the Plurilock family, delivers through these groundbreaking solutions.
References
- https://aurorait.com/2023/09/17/the-looming-threat-of-fatigue-stress-and-burnout-in-cybersercurity/
- https://www.forbes.com/sites/edwardsegal/2022/01/05/the-10-biggest-risks-and-threats-for-businesses
- https://fieldeffect.com/blog/overcoming-the-cybersecurity-talent-shortage
- https://www.techtarget.com/searchsecurity/tip/Cybersecurity-skills-gap-Why-it-exists-and-how-to-address-it
- https://cyber-center.org/the-great-ciso-resignation/
- https://www.sdxcentral.com/articles/analysis/the-great-ciso-resignation-why-security-leaders-are-quitting-in-droves/2023/05/