==Intro para:
The greatest cyber threat of all.
It is common knowledge that there are too few information security professionals to meet the demands of business. Estimates are that for every qualified information security practitioner entering the market in 2025 there will be at least five vacant positions for them to choose from. Meaning that there will likely be more than 3 million positions still waiting to be filled, at least ten percent of these potentially at executive or CISO level.
Information Security as a choice of specialisation is now a hot topic because it pays really well – quite possibly the highest starting and career salaries in the IT professions. The lucrative salary, however, can come at quite a personal cost. How businesses manage this cost is perhaps hiding the greatest cyber threat of all…
==Article body:
The greatest cyber threat of all.
It is common knowledge that there are too few information security professionals to meet the demands of business. Estimates are that for every qualified information security practitioner on the market in 2021 there will be at least three vacant positions for them to choose from.
Information Security as a choice of specialisation is now a hot topic because it pays really well – quite possibly the highest starting and career salaries in the IT professions. The lucrative salary, however, can come at quite a personal cost.
That earning opportunity is attracting a lot of otherwise normally IT capable people into considering Security as a specialised discipline. Companies are paying more to attract and retain these skills. In spite of these lucrative opportunities, why is it that so many experienced security professionals are leaving their current employers?
IT has always been a high-stress profession, but Information and Cyber Security qualified specialists and executives are currently seen as the most likely subjects to experience cybersecurity burnout.
Although burnout is common in many high-tech, high-pressure industries, the pressures that security professionals are exposed to can take this to a new and disturbing level.
One reason for this is too few security specialists, as everyone who is able to deliver a competent cyber security function will be overworked - nothing new there in the IT space. But, apart from the brutally merciless 24×7 ‘fix it now’ ethos common to IT, cyber security practitioners have another equally challenging problem to contend with.
Cyber security in principle is about detecting and defending your company from active attacks by cyber criminals. It is an unending, intense and technically demanding process. This continual mindset of perpetually being aware of the potential for an aggressive attack, however, triggers an equally intense response in the best security practitioners; where their understanding and dedication can lead them to take a strong personal and emotional position in defense of their companies.
Often overworked, under appreciated, frequently blamed for that one failure out of a hundred unacknowledged successes, rarely appreciated by the very business that they protect; these hyper-emotionally engaged front-line cyber warriors, whether at a network technical level, security operations executive, or at CISO level, can easily fall prey to a level of PTSD that can lead to serious burnout implications.
The very dedication that makes these professionals such an asset can become their Achilles’ heel, the best of the best do take cyber security extremely personally. This professionalism is their secret power. But no one has an infinite reserve of power, and even as highly paid as these professionals are, their employers frequently fail to invest in their emotional and physical well being.
Indeed at times employers don’t just fail to identify and address the real issues, but can often use outdated performance metrics and dangerously obsolete management practices to chastise the already stressed security practitioner.
Cyber Security is an adversarial environment, it requires suspicion, intuition, intelligence, research and dedication, and a level of focussed aggression to function well within this space. Due to its confrontational ethos, it also requires stress management techniques that rarely exist outside of the military, and almost never in a corporate environment.
The first signs of trouble within your security team can appear in the least expected places. Any cyber security manager will have seen this happen, but may not have fully understood the causes. If your job requires that you suspect everything, trust no-one until verified, and assume imminent attack at every corner, then as your stress increases your ability to leave this suspicion at the office begins to fail. The level of security intensity required at work as a cyber security professional is completely toxic to personal and family relationships. The first signs of trouble are broken relationships and divorces.
Some 90% of security professionals at a CISO level report that they suffer moderate to high levels of stress; 60% report that they have trouble switching off and cannot easily disconnect their business stress from their personal lives.
Given the investment, and dependence, that many organisations have on a functioning and reliable cyber security team it is surprising that so few have any formal stress or counselling programmes for their “most valuable players”. Many companies would state that they have available counselling, but then confirm that it is voluntary.
Under voluntary participation conditions, even if top level counselling were available, there is stigma attached to counselling and most would decline – even the wise few that recognise the symptoms of PTSD would.
If these cyber warriors – those that fight for you in the cyber space – were employed in any other adversarial profession (for example in the police, army, or even in a football team) they would have mandatory counselling sessions. No choice means no stigma. But sadly, at times when these cyber warriors themselves often do not realise they need help, they receive hostility, negativity, and ridicule if they ask for help from the very people they should trust the most.
It really is time to consider this in your business! If your business really needs the skill and diligence of these highly expensive to recruit and highly expensive to retain professionals, then should it not also ensure that it provides them with the counselling, support and stress protection commensurate with that value? This is not an executive level problem; if you want to actually have cyber security skilled executives it really makes sense to start this level of support with your most junior recruits.
The secondary cost of the loss of these professionals is perhaps even more disturbing: they do not just withdraw from security. Their experience of burn-out is more brutal than most, and the need to recover themselves means that they often change career and are not willing to share or teach their hard earned cyber security experience to the already under-supplied next generation.