terovesalainen - stock.adobe.com
Overworked, undervalued and stressed security professionals are increasingly frustrated by the lack of budgetary support they are receiving for cyber security, particularly given the constantly evolving threat environment, according to a report produced by the Chartered Institute of Information Security (CIISec), The security profession 2019/2020.
In the study of 445 IT security professionals, 82% said security budgets were failing to keep pace with the wider environment, either rising too slowly, staying static, or dropping.
On top of this, according to CIISec, 64% said their businesses were having to cope with fewer resources when necessary, and 51% admitted to having let routine or non-critical security tasks slip, increasing risk to their organisations. Over half (54%) said they had either quit a job due to overwork or burnout, or had worked with someone who had.
Meanwhile, 67% of respondents said the biggest security challenge for security in an organisation was people, compared with 14% who said processes and 11% who said technology.
“Sadly, security teams are only likely to come under more pressure in 2020, as the Covid-19 outbreak and its aftermath have profound effects on businesses’ budgets and ability to operate,” said CIISec CEO Amanda Finch.
“Unless the industry can learn how to do more with less while also addressing issues of diversity and burnout, risks will rise and organisations will suffer. To avoid this, we need the right people with the right skills, giving them the help they need to reach their full potential.
“This doesn’t only apply to technical skills, but to the people skills that will be essential to giving organisations a security-focused culture that can cope with the growing pressure ahead,” she said.
Amanda Finch, CIISec
CIISec highlighted that given this pattern of pressure and risk, attracting and retaining security personnel needed to be a priority for employers, and special consideration needed to be given to factors such as remuneration, opportunity for career progression and variety of work, all of which were cited (alongside unpleasant management) as top reasons for security professionals to move on.
The organisation also found that while the security industry was improving by some measures when it came to gender diversity, more needed to be done in this regard as well. It found that while men and women were fairly equally represented across metrics such as age and level of education, women in security tended to land in lower paid roles.
For example, said CIISec, 37% of women in security make under £50,000 per annum, compared with 21% of men; 15% of women earn over £75,000, compared with 39% of men; and only 5% of women earn over £100,000, compared with 18% of men. No women questioned for the study earned over £125,000, but 12% of men did.
“Addressing a lack of diversity in the industry isn’t only a matter of fairness. It also unlocks the skills and talents of a whole range of people who could collectively rejuvenate the industry and help reduce the huge pressure many security teams are under,” said Finch.
“We need to do all we can both to attract new blood to a career in security, and to ensure those already in place want to stay there. Understanding why people join – and why they leave – is the beginning of building a resilient workforce that can face the challenges ahead.”
Read more about the security profession
- DCMS report on the state of the UK’s cyber security workforce highlights a huge lack of diversity and a substantial skills gap.
- There has been an active effort by the UK government to tackle the lack of skills in the cyber security space – but is it enough?
- The nature of the CISO role can take a toll, say industry vets, with frustration and stress contributing to high turnover rates and burnout. Learn how to make it work.