Enterprises can expect to see some pretty dramatic churn in their cybersecurity departments in the next two years if they’re not proactive about countering security burnout. A prediction out today by Gartner estimates that almost half of cybersecurity leaders will change jobs by 2025. More startling, the analyst firm predicts that one in four leaders will exit the security stage completely.
According to Deepti Gopal, director analyst for Gartner, cybersecurity professionals are generally facing “unsustainable levels of stress.” For CISOs and other security managers, the mental and emotional fallout from occupying the scapegoat role is not only spurring many them to look outside of their current jobs or their professions, it’s also impacting their effectiveness when they stay.
“CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do,” Gopal says. “The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.”
Negative Unemployment & Burnout Persist in Cybersecurity
For a long time now, the need for cybersecurity expertise has gone unfilled across the entire industry. Per last year’s (ISC)2 estimates, by 2025 there will be a shortfall of 3.5 million cybersecurity experts. Even as other jobs in the tech industry begin to evaporate in the face of tech sector layoffs, cybersecurity appears to be immune to this. A report earlier this month from (ISC)2 showed that only 10% of corporate executives expect to lay off members of their cybersecurity teams this year.
However, these seemingly positive numbers about job security in the cybersecurity world could actually be a red flag for what’s currently ailing the profession. That is, burnout and job dissatisfaction are making it tough to recruit and retain talent. A different survey out this week from Magnet Forensics shows this phenomenon within the rank-and-file population of security analysts and investigators: More that half of these security pros reported feeling burned out in their jobs.
Often, the discussion of cybersecurity burnout revolves around topics like alert fatigue and workload imbalances, particularly among security operations center (SOC) workers. For example, the Magnet report showed that 64% of those workers cited alert fatigue as playing a role in their burnout. However, the news that one in four CISOs will leave their profession altogether hints at even deeper issues.
The Trouble With CISO Satisfaction
CISOs aren’t necessarily running down alerts constantly the way their employees are, but they’re overloaded with other career fatigue factors.
“CISOs are constantly trying to balance high expectations against an absence of the tools needed to meet those expectations,” Gartner analysts wrote in the prediction piece. “Compliance-centric cybersecurity programs, significantly low executive support, and subpar industry-level maturity are all indicators of an organization that does not view security risk management as critical to business success.”
One of the big factors that could have CISOs reconsidering their career trajectory in cybersecurity altogether is the fear about what will happen to their professional reputation if their company gets breached, says Diana Kelley, a veteran cybersecurity executive and co-founder and CSO of Cybrize, a cybersecurity workforce planning platform. She says CISOs and CSOs worry about “having their name dragged through the mud” after a breach, or even facing criminal charges, which feels more possible in the fallout from the conviction of Uber’s Joe Sullivan last year.
“I’m also curious if downward pressure on the level of the CISO and the salary are having an impact,” Kelley muses. “CISOs have long been talking about getting to the C-suite and reporting to the CEO, but I’ve heard more CISOs complain about getting pushed down a level and far fewer celebrating leveling up to true C-suite.”
“If you aspired to be a CISO for the $1 million payday and now are in a role where you’re under extreme pressure, getting up at 3 a.m. on Saturday to deal with breaches, and being paid $234,000 — while your buddy who’s doing DevOps is making $250,000 and sleeping all weekend — you might just say, ‘to heck with cyber!'”