Overwork and burnout are very real issues for the IT security industry in 2020, according to the Chartered Institute of Information Security (CIISec)’s The Security Profession 2019/2020 report. In the survey of 445 IT security professionals, 54 percent of respondents had either left a job due to overwork or burnout, or have worked with someone who has. This could be down to a lack of funding and human resources.
82 percent of respondents said security budgets were not keeping pace with rising threat levels – whether rising too slowly, staying the same, or falling. At the same time, holidays or busy periods when security teams are either smaller or stretched thinly can greatly increase stress, and the risk to the organisation. 64 percent of respondents said their businesses simply hope to cope with fewer resources when necessary, whilst 51 percent would let routine or non-critical tasks slip.
“Sadly, security teams are only likely to come under more pressure in 2020, as the COVID-19 outbreak and its aftermath have profound effects on businesses’ budgets and ability to operate,” said Amanda Finch, CEO of CIISec. “Unless the industry can learn how to do more with less while also addressing issues of diversity and burnout, risks will rise and organisations will suffer. To avoid this, we need the right people with the right skills, giving them the help they need to reach their full potential. This doesn’t only apply to technical skills, but to the people skills that will be essential to giving organisations a security-focused culture that can cope with the growing pressure ahead.”
Against this background of increased pressure and risk, attracting and retaining security personnel needs to be a priority. The top three reasons to take a new security job were:
- the opportunity and scope for progression; and
- the variety of work.
Conversely, the top reasons for leaving a security job were a lack of opportunity or progression; unpleasant or bad management; and poor remuneration.
There is also the question of diversity. Of all the respondents, only 10 percent were women. While this has doubled since 2015, it still suggests there is a long way to go.
To better understand the need for diversity, CIISec dug further into the data for both men and women to investigate whether there were any notable differences. Although men and women were equally represented across age and level of education received, women were paid significantly less on average or were in lower paying roles. For instance:
- 37 percent of women earned less than £50,000 per year, compared to 21 percent of men
- 15 percent of women earned more than £75,000 per year, compared to 39 percent of men
- Only five percent of women earned more than £100,000, against 18 percent of men
- No women earned more than £125,000, but 12 percent of men did
“Addressing a lack of diversity in the industry isn’t only a matter of fairness,” continued Amanda Finch. “It also unlocks the skills and talents of a whole range of people who could collectively rejuvenate the industry and help reduce the huge pressure many security teams are under. We need to do all we can both to attract new blood to a career in security, and to ensure those already in place want to stay there. Understanding why people join – and why they leave – is the beginning of building a resilient workforce that can face the challenges ahead.”
The report also uncovered a number of insights, including:
- 67 percent of respondents said that the biggest challenge for security in an organisation was people, compared to processes at 14 percent and technology at 11 percent.
- Asked what the most significant security technologies for 2020 would be, by far the most respondents believe that AI will have the greatest impact – 31 percent singled out technologies such as AI and Machine Learning.
- The most-named example of the worst data breaches and security issues of the past year was the British Airways security breach, which also ranked highly in 2018 – showing that serious data breaches can have lasting business and reputational impact for an organisation.
To read the full report from CIISec, click here.
About the Chartered Institute of Information Security:
The Chartered Institute of Information Security (CIISec), formerly the IISP, was established in 2006 to act as a focal point for the setting of standards in the information security profession and to promote the availability and growth of talent for government and businesses alike. Unlike many other certifications, the institute does not accredit on knowledge alone but requires professionals to provide evidence that they have successfully performed the required skills in the real world and have a track record of delivering to the highest standards. The institute works with academia to help develop new courses and entry routes into the profession, as well as corporate and government organisations to promote the growth of talent in the workplace.
APENDIX: Data tables
Table 1: Are security budgets rising?
|Rising ahead of threat levels||7 percent|
|Rising behind threat levels||50 percent|
|Staying the same||24 percent|
|Don’t know||11 percent|
Table 2: How do companies deal with busy periods?
|Hope to cope with fewer resources||64 percent|
|Let routine or non-critical tasks slip||51 percent|
|Incentivise existing staff to cover tasks (e.g. through overtime)||9 percent|
|Increase resources (i.e. through hiring additional short-term staff)||4 percent|