Burn baby burn, infosec inferno: Just 21% of security pros haven't considered quitting their current job

Chartered Institute of Information Security finds many overworked, under-resourced, stressed


Almost one in five infosec pros have quit a job due to overwork or burnout caused by the constant pressure of keeping things safe and doing so without the resources to counter ever-evolving threats.

This is the gloomy picture painted by a report from the Chartered Institute of Information Security (CIISec – previously known as IISP), which surveyed 445 security specialists.

"In an era where workplace stress, mental illness, mindfulness and work-life balance are matters of importance and interest, we sought to understand if the security profession was at risk of burning itself out," the report, Security Profession 2019/2020 [PDF], stated.

CIISec asked if the sector is trying to "cope with a growing problem by relying on a static and under-resourced workforce? And what does this mean for the people at the coal face?"

Some 18 per cent said they had personally walked out of a role permanently because of burnout; 36 per cent professed to knowing someone that had left due to it; and another 25 per cent claimed they had considered it.

"Sadly, only 21 per cent have had no brushes with this problem at all," the report added.

This was the first time CIISec specifically polled security people on the topic so said it has no previous data to compare with the latest findings.

So why the discontent from those surveyed? The majority (64 per cent) claimed it was being forced to cope with fewer resources; and just over half also said stresses and strains were compounded by routine daily tasks slipping away in the flood of work. A lack of incentives including overtime and time in lieu was another reason cited.

Against a backdrop of workplace stress, "the fact that companies 'muddle through' rather than recognising the increased efforts of staff, seems to worryingly reveal that the overwork problem is not one that is being acknowledged," it added.

The topic of burnout in the field of infosec isn't new so it's curious that the CIISec hasn't probed members on it before. A survey on the topic by Symantec in April last year revealed that 83 per cent of 3,000 pros it spoke to reported feeling burnout and two-thirds were considering whether to leave the industry entirely.

Another reason for some in the security department to feel overwhelmed is the lack of funding: the CIISec report found that just 7 per cent believed their security budget was rising ahead of threat levels, down from 11 per cent last year. Half said it was rising behind threat levels, 24 per cent said it was static and 8 per cent said it was falling.

"The overall theme seems to be one of shrinking security spend," the report added.

That said, 53 per cent reckoned they are getting better at defending their systems and 56 per cent said the industry was better at dealing with failures, breaches and incidents. It's just that the satisfaction of doing so might not be enough for some.

Jake Moore, security specialist at ESET, said a "deadly mix of ingredients" including a rise in ICO fines, incessantly evolving threats and fewer tools was "creating exhaustion" among some security folk.

"Stress is undoubtedly playing a huge part in the burnout of so many infosec professionals," he told The Register. "A constant deluge of the latest attacks cause a huge burden on those in charge of systems which is made worse when the finger pointing starts in trying to ascertain who is at fault.

"If possible within an organisation, it can help to introduce job rotation for employees. Those monitoring cyber threats are likely to be at risk of increased stress levels and it's important to keep this pool of talent in the industry before burnout strikes."

The answer to the problem is simple, if only employers would heed the words of this Reddit commenter: listen to and respect the calls from the security team; pay wages that "match... stress levels"; ask for input on hires rather than hire unsuitable people; and last but not least: "let us do our jobs." ®


Keep Reading

Dell cuts jobs again... which in Dell-speak is 'addressing cost structure to make sure we’re competitive'

HCI hit, security slugged, UXers axed, solutions peeps’ jobs dissolved

UK govt urged to bolt tough legal protections onto Arm and protect jobs – or simply veto Nvidia's £31bn acquisition

Ambitions to see the rise of a Brit equivalent to Apple is cool and all but that strategy must include safeguarding chip designer, says union

Google contractor HCL America accused of retaliating against unionized techies by shifting US jobs to Poland

Pittsburgh workforce erosion, punitive policies cited in labor complaint

Crazy idea but hear us out... With robots taking people's jobs, can we rethink this whole working to survive thing?

A nation of takeout deliverers

All your jobs are belong to us... Amazon is hiring 75,000 people but if you want US home groceries, tough luck

Nice to see Jeff Bezos catching a break

UK govt advert encouraging re-skilling for cyber jobs implodes spectacularly

Minister disowns 'crass' spot that shows American woman as Brit ballerina and seemingly belittles beleaguered arts sector

UK lawmakers welcome Microsoft's sack of training pressies for hard-pressed Brits as jobs searches spike

New skills aplenty and Teams tweaks from Uncles Brad and Satya

Steve Jobs, executives shot down top Apple engineers' plea to design their own server CPU – latest twist in legal battle over chip upstart Nuvia

Techies quit to go it alone, iGiant tries to lure away their staff – then sues – court told

Biting the hand that feeds IT © 1998–2020