This article is more than 1 year old
Burn baby burn, infosec inferno: Just 21% of security pros haven't considered quitting their current job
Chartered Institute of Information Security finds many overworked, under-resourced, stressed
Almost one in five infosec pros have quit a job due to overwork or burnout caused by the constant pressure of keeping things safe and doing so without the resources to counter ever-evolving threats.
This is the gloomy picture painted by a report from the Chartered Institute of Information Security (CIISec – previously known as IISP), which surveyed 445 security specialists.
"In an era where workplace stress, mental illness, mindfulness and work-life balance are matters of importance and interest, we sought to understand if the security profession was at risk of burning itself out," the report, Security Profession 2019/2020 [PDF], stated.
CIISec asked if the sector is trying to "cope with a growing problem by relying on a static and under-resourced workforce? And what does this mean for the people at the coal face?"
Some 18 per cent said they had personally walked out of a role permanently because of burnout; 36 per cent professed to knowing someone that had left due to it; and another 25 per cent claimed they had considered it.
"Sadly, only 21 per cent have had no brushes with this problem at all," the report added.
This was the first time CIISec specifically polled security people on the topic so said it has no previous data to compare with the latest findings.
So why the discontent from those surveyed? The majority (64 per cent) claimed it was being forced to cope with fewer resources; and just over half also said stresses and strains were compounded by routine daily tasks slipping away in the flood of work. A lack of incentives including overtime and time in lieu was another reason cited.
Against a backdrop of workplace stress, "the fact that companies 'muddle through' rather than recognising the increased efforts of staff, seems to worryingly reveal that the overwork problem is not one that is being acknowledged," it added.
The topic of burnout in the field of infosec isn't new so it's curious that the CIISec hasn't probed members on it before. A survey on the topic by Symantec in April last year revealed that 83 per cent of 3,000 pros it spoke to reported feeling burnout and two-thirds were considering whether to leave the industry entirely.
Another reason for some in the security department to feel overwhelmed is the lack of funding: the CIISec report found that just 7 per cent believed their security budget was rising ahead of threat levels, down from 11 per cent last year. Half said it was rising behind threat levels, 24 per cent said it was static and 8 per cent said it was falling.
"The overall theme seems to be one of shrinking security spend," the report added.
That said, 53 per cent reckoned they are getting better at defending their systems and 56 per cent said the industry was better at dealing with failures, breaches and incidents. It's just that the satisfaction of doing so might not be enough for some.
Jake Moore, security specialist at ESET, said a "deadly mix of ingredients" including a rise in ICO fines, incessantly evolving threats and fewer tools was "creating exhaustion" among some security folk.
"Stress is undoubtedly playing a huge part in the burnout of so many infosec professionals," he told The Register. "A constant deluge of the latest attacks cause a huge burden on those in charge of systems which is made worse when the finger pointing starts in trying to ascertain who is at fault.
"If possible within an organisation, it can help to introduce job rotation for employees. Those monitoring cyber threats are likely to be at risk of increased stress levels and it's important to keep this pool of talent in the industry before burnout strikes."
The answer to the problem is simple, if only employers would heed the words of this Reddit commenter: listen to and respect the calls from the security team; pay wages that "match... stress levels"; ask for input on hires rather than hire unsuitable people; and last but not least: "let us do our jobs." ®