Cybersecurity specialists worry more about day-to-day stress and lack of career progression than suffering a cyberattack. This is according to the latest “State of the Profession” report from the Chartered Institute of Information Security (CIISec). This is the seventh annual survey of the cyber industry. In the survey of 315 people, a third (32 percent) of respondents said they were kept awake by stress at work, a quarter (25 percent) by lack of opportunities and only 22 percent by their organization victim of a cyberattack.
One way to reduce cyber stress – a topic in the September print edition of Professional Security Magazine – would be to follow best practices – using simple but effective guidelines to protect organizations against the most common cyber attacks, declare CIISec. But the certified body’s findings suggest that organizations have been slow to adopt industry standards. Almost half (49 per cent) do not follow the UK government’s Cyber Essentials, a program that provides basic best practice; and 20 pc have officially adopted the official UK National Cyber Security Center (NCSC) ‘Ten steps to cyber security’ guidelines.
Amanda Finch, CEO of CIISec, said, “Failure to adopt industry standards challenges security teams when it comes to protecting organizations against cyberattacks, and only adds to their daily stress. Without investing the time and effort to make life easier for cybersecurity professionals, organizations are setting themselves up for failure. People need to be supported in their role – with the right processes in place, the skills to do their job effectively, and clear paths to progress. Without it, the industry will soon see burnt-out talent that cannot defend against evolving threats. »
CIISec is hosting its annual conference, CIISec Live, at Edinburgh Napier University on 7 September. Speakers include David Ferbrache, Chairman of the National Cyber Resilience Advisory Board for Scotland; Mary Haigh, CISO for BAE plc; Rory Alsop, Head of Information Security and Cyber Risk at Tesco Bank; Tim Ward, co-founder of security awareness software company Think Cyber Security; Jill Trebilcock and Andy Cobbett, CIISec Board Members; and Professor Bill Buchanan who runs the Blockpass ID Lab at Edinburgh Napier.
Other report findings:
– “People” are still the biggest cybersecurity challenge: Most respondents, 70%, say “people” are the biggest security challenge they face, compared to technology (17%) and processes (13%).
– the online market is still booming: three-quarters (75%) see the market as “growing”, and an even more positive 15% say it is “booming”.
– the covid pandemic has boosted job prospects for some: 33% of respondents say their job prospects have improved due to the pandemic, and only 4.3% say their prospects have deteriorated.
– despite these burgeoning prospects, a majority of respondents experienced barriers to career progression – including a lack of confidence in their own abilities (identified by 38%), a lack of support or mentorship from organizations (38%), an assumption that they lack skills for the roles (36pc), a feeling of being intrusive/not accepted (28pc) and a lack of training opportunities (28pc).
Compensation, opportunities and management are key to attracting and retaining talent, it seems; the top five reasons attracting respondents to security jobs were money/remuneration; possibility and room for improvement; variety of work; training opportunities; and autonomy. Conversely, the top five reasons respondents left were lack of opportunity; poor pay; poor or ineffective management; insufficient training; and boring or monotonous work.
When it comes to diversity, the CIISec report found that the vast majority of respondents were male – 83% – while a quarter (26%) could not say their organization offered equal opportunities. Some 38% of organizations have not implemented development programs to encourage women to join the profession or to promote those who are already in it, and a further 5% have tried but failed. One in five respondents, or 21%, could not say they would be comfortable raising concerns about harassment, whether about themselves or others. Yet organizations value diversity: 90% of respondents believe their organization values people from all cultures and backgrounds.
Amanda Finch added, “Without diversity and inclusion, the industry will stagnate and be unable to deal with complex cyber threats. By understanding and highlighting the variety of roles within cybersecurity, the industry can begin to appeal to a wide range of people. From forensics to threat intelligence to researchers, there are opportunities for everyone. At the same time, the industry not only needs to attract people from diverse backgrounds, but also to create an inclusive culture. Cybersecurity can no longer be seen as a “boys only club” where technical skills are valued above all else. We need to move away from that and continue to create a culture where everyone can thrive, feel valued and accepted.