Steve Moore, Vice President and Chief Security Strategist, Exabeam explores ways to improve the problem of security professionals suffering from burnout and a lack of diversity.
The cybersecurity industry and professionals who work in it are a major success story. IDC says cybersecurity spending will grow to $133.8 billion by 2022, while Gartner puts it at $170.4 billion. According to Cybersecurity Ventures, cumulative spend between 2017 and 2021 will be more than $1 trillion.
It’s a major driver of overall tech spending, and according to SpiceWorks sits only behind the need to upgrade outdated infrastructure as the reasons why IT budgets are increasing this year. The numbers are huge and there’s no sign of momentum slowing down.
There are plenty of people out there who’ll say this still isn’t enough, and they have a good point. But whichever way you look at it, solutions, services and skills are in huge demand, with 2.8 million cybersecurity professionals employed around the world.
So, what’s the problem? Growth and success are to be applauded, but despite being an industry where positivity is easy to find, cybersecurity faces some major employment issues that - as an industry - we need to own and address. There are several that should be of particular concern to those working in the sector and beyond:
An acute and growing skills shortage
While it seems that increasing investment in cybersecurity is currently a given, companies are spending in the face of a crippling cybersecurity skills shortage. Studies consistently back this up: ESG/ISSA recently found that a massive 74% of organisations have been affected by it, Gartner found that 61% of organisations are struggling to hire security professionals, and (ISC)2 stated that the shortage of people to fill job vacancies, “has never been more acute”.
In wider terms, Cybersecurity Ventures says there will be 3.5 million unfilled positions by 2021. These conditions are combining to take a toll on the cybersecurity profession and the industry - one of the most worrying is that when teams lack resources, stress and burnout can often follow.
Heading for burnout
In terms of workplace stress, cybersecurity is far from a special case - it’s a problem everywhere. Indeed, according to the American Psychological Association's 2017 research, 61% of respondents said work is a very or somewhat significant source of stress.
But looking specifically at our industry, Exabeam’s 2019 Cybersecurity Professionals Salary, Skills and Stress Survey, found that 62% of cybersecurity professionals said they found their jobs stressful or very stressful, with only 6% saying their job was not stressful at all. Similarly, 44% said they don’t feel they are achieving a work-life balance. And while 71% said they are satisfied with their jobs and responsibilities, that’s down sharply from 83% just a year earlier.
Burnout is also leading cybersecurity professionals to look elsewhere for career opportunities. In the survey, 40% said they are currently looking for a job, and more than half of those cited poor compensation and unsupportive senior leadership as reasons for making a change.
Diversity - a problem and an opportunity
The demographic makeup of the cybersecurity industry is a huge issue. Despite the ubiquitous need for more talent, the profession is failing to draw anywhere near enough interest from diverse groups. In Exabeam’s study, an overwhelming majority (91%) of survey respondents were male, and 65% were white. Less than 3% were African-American.
Looking at the entire IT industry in the UK shows the true depth of the problem. In 2019, only 16.4% of industry as a whole were women. If that was part of a rapid upward trend, then perhaps we could be more optimistic, but that figure was actually down from 17.4% in 2018.
More specifically, Cybersecurity Ventures puts the number of women working in the industry at 20%. Addressing inequality of opportunity and employment also gives the industry a chance of dealing with its skills shortage, so why aren’t we getting there faster?
The problem could be that embracing diversity is about changing culture, and we know that, unfortunately, changing corporate culture can take time. Leaders have a huge role to play in supporting their teams and creating opportunities for those that are currently underrepresented.
Job shadowing, internships, broadening recruitment requirements, are just some of the relatively easy initiatives that just about every business can take. Leaders who succeed at broadening their teams will be the ones who ultimately create a more inclusive, comfortable and productive environment where professionals believe they can deliver exceptional work, engaging with confidence and without ego.
Looking to the Positive
But let’s balance this out a little, because there is a lot of positivity across the industry. Despite the problems it creates, employees are benefitting from the skills shortage with greater job security. Indeed, 76% of those surveyed said they feel secure or very secure in their current role.
Nearly half of cybersecurity professionals said they have been building a career in the industry for 10 years or more, and 78% of respondents would recommend a career in cybersecurity.
But here’s the bottom line - executives are often asked about their top concerns, what bothers them most and what they have to prioritise in the year ahead. More often than not cybersecurity is most pressing. Skills shortages frequently make the lists too.
That’s perfectly understandable - these are clear and present dangers to the ability of businesses to function. What you rarely see in these surveys, however, are the issues of stress in the workplace and equality. Yet, dealing with these issues offers the prospect of building a better and healthier industry where even more people can share in its success.