Dealing with Stress and Attrition in Cybersecurity Jobs
Picture yourself as a cybersecurity leader seated in a conference room with other cybersecurity leaders from across your industry. Now imagine looking at the person seated to the left of you. Chances are that the person seated beside you will not be in their present role in 2025. That is because according to Gartner, nearly half of all cybersecurity leaders will change jobs by then. In fact, 1 in four will change roles entirely.
On the surface, it may seem hard to imagine why professionals in these positions would be so willing to flee. According to a March 2023 report by Glassdoor, the average salary for a cybersecurity lead position is over $93,000. What’s more, at a time when many companies are implementing widescale layoffs, especially amongst hi-tech workers, cybersecurity professionals are being bypassed by these abrupt staff cutting initiatives so job security is not an issue. So, what is driving these workers to quit? Gartner Director Analyst sums it up in one sentence: “Cybersecurity professionals are facing unsustainable levels of stress.”
The Stress is Unimaginable
When a business is compromised by a cyberattack, the wheels of business grind to a halt. Whether it is because your systems are encrypted and inoperable from a ransomware attack or your databases and business applications have been taken offline to contain a data breach, the result is the same. Downtime is very expensive. Once an incident occurs, IT security personnel are immediately prompted to begin a work marathon that will require them to work days on end without time off. Senior executives and business unit leaders will be implored to find out when their systems will be operational. Security leaders will have to deal with outside parties including media personnel, attorneys, and forensic experts. It is not going to be fun.
The negative effects on a cybersecurity team after an attack are almost immediate. Nearly a third of IT teams report increased absences due to burnout in the months after an attack. Not only do 54% experience a negative impact on their mental health, but 56% say that their roles are becoming more stressful each year.
Security Staff Gaps Are a Real Problem
While we often talk about security gaps in the attack surface of a company’s IT estate, cybersecurity talent gaps are just as serious. While your company may have best-of-breed security controls, those tools will serve little purpose without the proper personnel to manage them and make use of their data. Security dashboards provide a vast array of information concerning potential vulnerabilities, suspicious traffic patterns, or incidents of unauthorized access, but dashboards require an important element for them to be effective. They require a human to be in front of them, interpreting what all those notifications mean and ensuring nobody losses sleep over real or false alarms.
The Frustrations of the Cybersecurity Trade
Imagine the frustration of a doctor or health practitioner that must deal with patients that continually practice unhealthy lifestyle habits, refuse their advice, or fail to take their prescribed medications (the CDC reports that up to 30% of prescriptions for chronic health problems are never filled). Cybersecurity leaders experience that same level of exasperation. Despite continual attempts to educate users about the dangers of clicking embedded links or attachments, users continue to do so uninterrupted.
A recent Gartner study showed that 69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months. More alarming, 74% of employees said they would be willing to bypass cybersecurity guidance if it helped them achieve a key business objective.
The Odds Favor the Bad Guys
The job of the protector is far more stressful than that of the attacker. While a cybersecurity team is responsible for securing every endpoint and application within the organization, a hacker only needs to find a single point of vulnerability to achieve an attack objective. You can effectively patch 99% of your systems, but the presence of a single unpatched operating system or application can undermine all your efforts. Yet, as important as patch management is, patching efforts must often be delayed to accommodate other business priorities.
The Stress of Non-Compliance
Most people get nervous when their actions are being scrutinized under observation. This is what compliance is all about. Governments and industry overseers have learned just how serious the problem of data breaches and cybersecurity attacks can be and have been adapting new regulatory sets in response. From GDPR to CCPA and from HIPAA to PCI DSS, cybersecurity leaders must learn to adapt to a rapidly changing regulatory landscape. While an incident of noncompliance may not prove as detrimental as the aftermath of a successful cyberattack, companies can face stiff penalties for non-compliance and leave themselves open to litigation damages instead of an attack.
How to Reduce the Risk of Attrition
While organizations must pay attention to the needs of all employees, businesses must recognize the stress that cybersecurity leaders are experiencing. Otherwise, burnout and attrition will continue to prevail in this critical industry. While most workers are always receptive to more money, compensation alone is not the answer. Offering a sustainable work-life balance in the form of flexible work times or generous vacation allotments can provide ways for cybersecurity soldiers to have proper downtime. Incentivized training programs and development opportunities can help retain cybersecurity talent and empower them with new advanced skill sets and knowledge bases.
Employing a SOC to Fill Gaps
While these strategies can improve attrition and retention rates, cybersecurity skill gaps can remain. As a result, many SMBs are finding additional ways to prevent cybersecurity skills gaps from leaving them exposed. One of these is attaining the services of a security operations center (SOC). A SOC provides a dedicated team of external cybersecurity experts to fill in any personnel, skill, or knowledge gaps that can leave you exposed to attack. A SOC team can also serve as the cavalry that rushes in to save the day in the event of an incident. Further stressing the need for a SOC, it provides SMBs a way to leverage AI-driven automated tools that don’t rely on manual human intervention. In many respects, only automated intelligence can stay ahead of the ever-changing threat landscape that businesses must deal with today.
Yes, the stress that cybersecurity professionals experience is indeed real. So are the threats to your business. That is why it is time to deal with these realities and learn how a SOC such as CYREBRO can help alleviate them.