Globally, organisations are witnessing a significant exodus of employees in what has become known as the Great Resignation. With a recent study finding that more than half of security professionals are contemplating leaving their jobs, it’s clear that the cyber security industry isn’t immune to this problem.
Considering that 51% of cyber security professionals experienced stress and burnout as a result of higher workloads during the pandemic, it’s no wonder that many people are thinking about exiting the industry altogether. And, of course, other individuals are choosing to leave their cyber security jobs for better opportunities elsewhere.
Whatever the case, a growing number of resignations in an industry historically plagued by considerable skills gaps is alarming and puts organisations at a higher risk of serious security breaches. Therefore, urgent action is required to get to the bottom of these resignations and increase staff retention in the cyber security sector.
A serious issue
The Great Resignation has affected businesses across all industries, but experts believe that cyber security is one of the hardest-hit sectors. Kieron Holyome, vice-president of UK and Ireland, the Middle East and Africa at BlackBerry, brands the skills gap in the cyber security industry as “verging on critical”.
“One impact of the Great Resignation and chronic short supply of cyber security talent is the prevalence of blind spots in security solutions, behind which lie gaping vulnerabilities,” he says. “These vulnerabilities are used by cyber criminals to plant attack vectors, which can lie dormant for years before choosing the opportune time to strike and cripple businesses.”
Ilona Simpson, CIO of Europe, the Middle East and Africa (EMEA) at Netskope, agrees that high rates of employees resigning from security positions can have severe consequences for organisations. She warns that this can cause poor mental health and low productivity in cyber security departments.
She tells Computer Weekly: “With a general skills shortage across the market, any gaps in teams that maintain critical infrastructure will be felt sharply and can often take months to fill. Teams that are understaffed tend to be overworked, which can have a negative impact on both mental health and also team effectiveness.”
Understaffed security teams also make it harder for businesses to implement defences for preventing hacks, data leaks and other serious cyber threats. “In addition, skills shortages throughout a business can cause delays to change programmes or initiatives designed to improve overall operational security, leaving a business open to threats for longer,” she adds.
“While it is possible for businesses to outsource change management projects, the cost can be a prohibitive factor for many. Finally, with a larger proportion of the workforce exiting businesses, the chance of data exfiltration – whether deliberate or accidental – increases significantly.”
Keeping secure with fewer defenders
With cyber security teams experiencing an exodus of talent and with cyber crime increasing, organisations would be wise to take steps to improve retention in their cyber security teams and explore alternative solutions to shore up their online defences. For starters, Simpson believes that firms should “carefully and thoroughly” manage the exit process before employees quit their roles.
“This is a key opportunity to gain alumni, as opposed to just a former employee, and preserving goodwill reduces the risk that corporate data will be removed due to disgruntlement. It also allows the incumbent team to get a better grasp of what gaps they need to address,” she says.
Companies affected by a lack of cyber security talent should reorganise current resources to manage “high-priority issues” and close any security gaps, according to Simpson. They can also adopt technologies such as artificial intelligence (AI) and provide company-wide security awareness training to fill the void left by skills shortages.
“In the mid to long term, a business should explore opportunities to dull the impact of resignations,” she says. “This could include automation; reviewing processes and the technology stack to determine whether AI/ML [machine learning] could enhance the current line of defence; or simply enacting broader educational programmes across the organisation to raise awareness of security risks.”
Business leaders have a responsibility to address increasing resignations in the cyber security industry. Simpson says employers should understand core leadership purposes and principles, ensuring they don’t simply assign tasks but also provide employees with the tools and support needed to succeed in the workplace.
“Good leadership focuses on breeding good culture. Employer brand, role and salary might be what attracts people to join an organisation, but it is culture that makes them stay. Teams need to be made to feel comfortable, both physically and intellectually. Leaders need to build a supportive culture that rewards employees for engaging with the businesses,” she says.
“This certainly isn’t easy in the hybrid working world (and no one said it would be), but it isn’t impossible. I have always found the best security talent to be people who bring intellectual curiosity and a bias for problem solving to a team. So a simple step in those cases is to help rid them of admin work and let them focus on problem solving.”
The round-the-clock nature of mitigating cyber attacks and vulnerabilities can create an intense workplace for many cyber security professionals, which has increased dramatically throughout the pandemic. Jake Moore, a security specialist at ESET, fears that this is one of the main contributors to the Great Resignation in the cyber security industry.
“The infosec industry can often overwhelm those keeping the cogs turning and making sure the wheels don’t fall off, but coupled with a lack of recognition or poor development opportunities, it can soon turn sour for those feeling the burn,” he tells Computer Weekly.
“This infosec industry can look very rosy from the outside with inviting company cultures often bandied around social media, but many of the jobs are tiring with long hours constantly in attempts to keep persistent threats at bay.”
Moore believes that the key to retaining cyber security professionals is listening to their opinions, providing development opportunities and creating a flexible workplace. “Many older-generation managers desire their workforce, particularly in technical, to come back to the office more than their staff may want, which can push people away. We are now beyond proving that employees can be trusted, therefore due respect must follow.
“Leaving the industry takes far longer to replenish the talent lost, which makes it more difficult for the next generation. A mass exodus of staff can have severe consequences, which I have seen first hand when more police officers left than were recruited. This can have just as much of an impact in cyber security,” he adds.
Implement key steps
Skills gaps and mass resignations in the cyber security industry can stifle innovation, growth and security posture in businesses, according to CybSafe CEO Oz Alashe. But he’s confident that companies can take several effective steps in response to the implications of the Great Resignation.
First, he advises businesses to manage the expectations of job candidates. “Many job adverts set unrealistic expectations, looking for the oven-ready candidate for every role. Recruitment fails to match these heights,” he says.
“In the security industry, not every role requires technical expertise from the get-go. An engineer does not need to be a cyber security whizz to build a great security product. The talent is there. Give people the support to flourish.”
While resignations can result in a brain drain inside organisations, they can solve this issue by upskilling existing staff in crucial areas such as IT security and giving them opportunities to fill vacant cyber roles.
Alashe says: “Every organisation has talented people eager to learn more and improve their skill set. Find the gems you already have and give them the support and training they need to succeed. You’ll find this eases the pressure on recruitment and incentivises and engages the best people to stay.”
Employers should build trust with their cyber security specialists, allowing them to work in a fashion that best suits their needs. “Offering truly flexible working styles is the path to success. Too many organisations are confusing hybrid working with freedom and flexibility to choose working styles and arrangements. It’s not,” says Alashe.
“Employees want to be trusted to work in the way that is best for them. If an organisation feels it cannot do this, then it needs to consider whether it has the right infrastructure and recruitment strategy in place. Provide genuine flexibility, and the best employees will repay that trust.”
Some of the top cyber security organisations are adopting simple best practices to keep their employees happy and ultimately retain them. 1Password, for example, encourages open communication in its teams via dedicated Slack channels. It also provides mental health days, employee benefits such as meditation sessions through the Headspace app, and training on topics such as responding to change.
Jeff Shiner, CEO of 1Password, says: “In reality, eliminating burnout altogether is not realistic. So long as the pandemic persists and threats escalate, it will remain an issue that both companies and employees will have to deal with. Fortunately, solutions do exist to help alleviate burnout, and companies should consider making them core to their cyber skills training initiatives.”
IT security specialists play a vital role in modern organisations, ensuring they are equipped to spot and respond to devastating cyber threats. So, to see this industry affected by the Great Resignation is very concerning. What’s clear is that businesses need to do more to encourage their cyber security employees to stay in their roles, whether it’s by creating a more open workplace or by improving staff mental health.