Having robust information security systems in place is a requirement of doing business, not a ‘nice to have’. But to have a comprehensive security system, leaders need to engage with methods to look after their information security professionals too. It’s about people as much as it is hardware.
At the top of the information security hierarchy, one will typically find the chief information security officer (CISO). While they may be the overall boss, others responsible for information security are also vital. Survey after survey says many of these professionals can be subject to an incredibly stressful time; it is important that no one in your business aren’t included in this total.
A clear need for care
In the latest Chartered Institute of Information Security's (CIISec) State of the Profession report cyber security experts said work keeps them awake at night. Half (50%) cited day-to-day stress or workload, while 32% cited suffering a cyber attack.
Along with stresses keeping information security professionals up at night, experts in the sector battle an ‘always on’ culture that seriously affects mental health. In Deep Instinct’s 2022 Voice of SecOps report, security professionals stated an “expectation to be constantly on call” was a recurring stress for those in the role.
There is also “an all too prevalent blame culture that exists in the industry that asks who is responsible for a breach, not why it happened”, says Johan Dreyer EMEA Field CTO at Mimecast. Dreyer also cited two other factors: “a well-documented skills gap that means many organizations are not sufficiently resourced with cybersecurity professionals,” and “the threats themselves are evolving and cybersecurity professionals need to keep pace.”
All three of these factors are arguably more about resources than anything else. Hire more staff, keep their skill levels up, and make sure the tech is up to date. But there is also an organizational culture factor – Dreyer’s mention of the blame culture.
The blame placed on information security professionals
Travis Wong, Global Head of Customer Engagement at leading cyber security and insurance provider Resilience points out that cyber security professionals have to fight surging cyber threats that exacerbate burnout.
“There is no winning scenario for security professionals. They are asked to prevent incidents at all times and if anything happens, rightly or wrongly, often bear the brunt of the blame.”
Addressing the blame culture is all about taking care of your people. Wong suggests investing in training and building camaraderie, adding “Many security professionals love to learn new skills and collaborate with peers at local and national conferences.” Travis also champions flexible working hours and ensuring that there is a realistic attitude to risk: “If everything is classified as critical, nothing can be prioritized.”
Working hours for information security professionals
Another key finding of the CIISec research is that 22% of respondents work more than the 48 hours per week mandated by the UK Government, and 8% work more than 55 hours. There could be various causes including presenteeism and performative work, even turning up to work when ill, staff shortages – there just aren’t enough people with the right skillset available, unmanageable workload – not quite the same as staff shortages as this more about a poorly designed role description, or even bad management – seniors expecting unrealistic levels of output.
Whenever one or all of these factors are at play, unhappiness and burnout among infosec professionals rises. One way to help alleviate the pressure is to make the technology work harder.
Dreyer suggests practical steps such as automating the back office so staff can focus on valuable areas. The advice from Wong focuses on risk management through actions like understanding the variable effects of exposure – “not all threats are equal”, he says.
The practice of prioritizing security controls according to risk, and establishing a key risk indicator to ensure the organization is within tolerance on an ongoing basis can help. Carefully and thoroughly implemented, such measures can help reduce their day-to-day workload. They are not a one-off activity, but an ongoing approach to work.
Addressing the information security skills issue
The already noted and well-documented cyber skills deficit is a key factor and the CIISec report notes that this shortage is less about total recruit numbers than it is about a specific cyber security skills shortage among staff. “What's important for organizations with significant spending limitations to do is to formally dedicate learning and development time for their security professionals so they can advance their skills,” Wong advises. He notes this need not be expensive as there are free and low-cost resources available for training and learning.
Perhaps a recognition of the need to upskill information security professionals is in play, as Dreyer notes: “There is a growing realization in the boardroom that cyber risk is not just an IT problem – it’s a critical vulnerability that directly equates to overall business risk, particularly during tough economic times.” Going hand in hand with that realization is the understanding that security is a matter of working practice for everyone, and that embedding good practice across organizational culture is increasingly seen as important.
For now, research suggests that the cyber security skills shortage is here and that information security professionals are feeling the burden in the form of stress and blame from higher-ups. Moreover, some organizations aren’t investing enough in upskilling, managing their attitude to risk, or embedding strong security awareness into day-to-day working. If an organization’s security professionals don’t stay long, but instead decamp to other employers, perhaps it is time to consider how to look after them better.
