Globally, organizations are witnessing a major exodus of employees in what has become known as the Great Resignation. With a recent study finding that more than half of security professionals are considering quitting their job, it’s clear that the cybersecurity industry is not immune to this problem.
Given that 51% of cybersecurity professionals have been stressed and burnt out due to higher workloads during the pandemic, it’s no wonder many people are considering leaving the industry altogether. And, of course, other people choose to leave their jobs in cybersecurity for better opportunities elsewhere.
Either way, a growing number of resignations in an industry historically plagued by massive skills gaps is alarming and puts organizations at higher risk of serious security breaches. Therefore, urgent action is needed to get to the bottom of these resignations and increase staff retention in the cybersecurity industry.
A serious problem
The big resignation has affected businesses across all sectors, but experts believe cybersecurity is one of the hardest hit sectors. Kieron Holyome, vice president of UK and Ireland, Middle East and Africa at BlackBerry, calls the skills gap in the cybersecurity industry “almost critical”.
“One of the impacts of the great resignation and chronic shortage of cybersecurity talent is the prevalence of blind spots in security solutions, behind which lie gaping vulnerabilities,” he said. “These vulnerabilities are used by cybercriminals to plant attack vectors, which can sit dormant for years before choosing the right moment to strike and cripple businesses.”
Ilona Simpson, CIO for Europe, Middle East and Africa (EMEA) at Netskope, agrees that high rates of employees quitting security roles can have serious consequences for organizations. She warns that this can lead to poor mental health and low productivity in cybersecurity departments.
She tells Computer Weekly, “With a general skills shortage in the market, any gaps in the teams maintaining critical infrastructure will be acutely felt and can often take months to fill. Understaffed teams tend to being overworked, which can have a negative impact on both mental health and team effectiveness.
Understaffed security teams also make it harder for businesses to put up defenses to prevent hacks, data leaks, and other serious cyber threats. “Furthermore, skill shortages across an enterprise can lead to delays in modifying programs or initiatives to improve overall operational security, leaving an enterprise exposed to threats longer,” he adds. she.
“While it is possible for companies to outsource change management projects, the cost can be a prohibitive factor for many. Finally, with a greater proportion of the workforce leaving companies, the risk of data exfiltration – whether deliberate or accidental – increases dramatically.
Stay safe with fewer defenders
As cybersecurity teams experience a talent drain and cybercrime increases, organizations would be wise to take steps to improve retention in their cybersecurity teams and explore alternative solutions to bolster their online defenses. For starters, Simpson says companies need to manage the exit process “carefully and thoroughly” before employees leave.
“This is a key opportunity to gain alumni, as opposed to just a former employee, and preserving goodwill reduces the risk of company data being deleted due to dissatisfaction. It also allows the team in place to better understand the gaps that need to be filled,” she says.
Companies impacted by a lack of cybersecurity talent should reorganize their current resources to handle “high priority issues” and close any security gaps, according to Simpson. They can also adopt technologies such as artificial intelligence (AI) and provide enterprise-wide security awareness training to fill the void left by skills shortages.
“In the medium to long term, a company should explore opportunities to mitigate the impact of resignations,” she says. “This could include automation; examine processes and technology stack to determine if AI/ML [machine learning] could strengthen the current line of defense; or simply by adopting broader educational programs across the organization to raise awareness of security risks.
Business leaders have a responsibility to deal with growing quits in the cybersecurity industry. Simpson says employers need to understand the goals and fundamentals of leadership, making sure they don’t just assign tasks, but also provide employees with the tools and support needed to succeed on the job. work place.
“Good leadership focuses on nurturing a good culture. Employer brand, role, and salary may be what attract people to join an organization, but it’s the culture that makes them stay. Teams must feel comfortable, both physically and intellectually. Leaders need to create a supportive culture that rewards employees for their engagement with companies,” she says.
“It’s certainly not easy in the world of hybrid working (and no one said it would be), but it’s not impossible. I’ve always found the best security talent to be people who bring intellectual curiosity and a penchant for problem solving to a team. So a simple step in these cases is to help them get rid of the administrative work and let them focus on problem solving.
The round-the-clock nature of cyberattack and vulnerability mitigation can create a hectic workplace for many cybersecurity professionals, which has increased dramatically throughout the pandemic. Jake Moore, security specialist at ESET, fears this is one of the main contributors to the big quit in the cybersecurity industry.
“The infosec industry can often overwhelm those who keep the cogs turning and ensure the cogs don’t fall off, but coupled with a lack of recognition or poor development opportunities, this can quickly turn sour for those who feel the burn,” he told Computer. Weekly.
“This infosec industry may look very rosy on the outside with inviting corporate cultures often broadcast on social media, but many jobs are tiring with long hours constantly trying to keep persistent threats at bay. .”
Moore believes the key to retaining cybersecurity professionals is listening to their opinions, providing development opportunities and creating a flexible workplace. “Many older generation managers want their workforce, especially in the technical field, to come back to the office more than their staff want, which can push people away. We are now beyond proving that employees can be trusted, so respect must follow.
“Leaving the industry takes much longer to replenish lost talent, making it more difficult for the next generation. A mass exodus of personnel can have serious consequences, which I have seen firsthand when more more police officers have left than have been recruited. This can have just as much of an impact on cybersecurity,” he adds.
Implement key steps
According to Oz Alashe, CEO of CybSafe, skills gaps and mass resignations in the cybersecurity industry can stifle business innovation, growth and security. But he is convinced that companies can take several effective steps in response to the implications of the Great Resignation.
First, he advises companies to manage the expectations of job candidates. “Many job postings set unrealistic expectations, looking for the oven-ready candidate for every role. Recruiting doesn’t match those highs,” he says.
“In the security industry, not all roles require technical expertise from the start. An engineer doesn’t have to be a cybersecurity whiz to create a great security product. The talent is there. Give people the support they need to thrive.
Although resignations can lead to a brain drain within organizations, they can solve this problem by improving the skills of existing staff in crucial areas such as IT security and giving them the opportunity to fill vacancies in cyberspace. .
Alashe says, “Every organization has talented people who want to learn more and improve their skills. Find the gems you already own and give them the support and training they need to succeed. You’ll find that this eases the pressure on recruitment and incentivizes and engages the best people to stay.
Employers need to establish a relationship of trust with their cybersecurity specialists, allowing them to work in the way that best meets their needs. “Offering truly flexible work styles is the path to success. Too many organizations confuse hybrid working with the freedom and flexibility to choose work styles and arrangements. It’s not,” says Alashe.
“Employees want to be trusted to work in the way that works best for them. If an organization feels it cannot do this, then it needs to consider whether it has the right infrastructure and recruitment strategy in place. Provide true flexibility, and the best employees will return it. »
Some of the best cybersecurity organizations are adopting simple best practices to keep their employees happy and ultimately retain them. 1Password, for example, encourages open communication within its teams via dedicated Slack channels. It also offers mental health days, social benefits such as meditation sessions through the Headspace app, and training on topics such as responding to change.
Jeff Shiner, CEO of 1Password, says, “In reality, completely eliminating burnout is unrealistic. As long as the pandemic persists and threats escalate, it will remain a problem that businesses and employees will have to deal with. Fortunately, solutions exist to help alleviate burnout, and companies should consider integrating them into the core of their e-skills training initiatives.
IT security specialists play a vital role in modern organizations, ensuring they are equipped to detect and respond to devastating cyber threats. So to see this industry affected by the Great Resignation is very concerning. What’s clear is that companies need to do more to encourage their cybersecurity employees to stay in their roles, whether that’s creating a more open workplace or improving staff mental health.