Cyber security professionals regard their career as a vocation. They feel that their work has a genuine, valuable purpose; protecting the organisation they’re part of, and the customers it serves, and the world at large.
This comes from a new research commissioned by Symantec and led by Goldsmiths, University of London. It is based on feedback from more than 3,000 senior security professionals across France, Germany and the United Kingdom. The report is available for download here.
It finds that almost all (92 per cent) cyber professionals feel fully immersed in their work, even when it’s stressful. Indeed, 90 per cent of them say they thrive under pressure. And yet, simultaneously, 82 per cent of them feel burnt out. Two thirds are thinking of resigning from their current role, and about the same number are considering leaving the industry completely.
That’s worrying because it signifies that far too many cyber security professionals are being ground down by the realities of corporate life; limited decision-making powers, corporate inertia, rising responsibilities and static budgets. The evolving technology landscape, in particular cloud and mobility, creates new and complex security challenges. The vast majority of cyber professionals (82 per cent) report the amount of data flowing across multiple destinations means their estate is too vast and complex to defend effectively. The same percentage say they have too many cyber defence products to manage. Throw in the pressures of increasing regulatory compliance and the cyber security skills shortage, and it’s easy to appreciate how the reality of the day role isn’t matching the vocational calling.
The typical patchwork of legacy point solutions doesn’t help matters either – 82 perc ent say they suffer from security alerts (which are often duplicates, because they’re being triggered by multiple siloed security products). More than three quarters of professionals report having to rush assessments they are not wholly confident in, and so underestimate threats or incidents. More than two-thirds admit to having to go home and leave alerts unreviewed at the end of the day.
To compound that dire reality check, 41 per cent say a breach in inevitable, a third say they are currently vulnerable to avoidable threats (a searing indictment) and a quarter admit to having already suffered an avoidable incident. Throw in the pressures of increasing regulatory compliance and the cyber security skills shortage, and it’s easy to appreciate how the reality of the day job isn’t matching the vocational calling. No wonder two-thirds of cyber security professionals feel they are set for failure.
The full on, often reactive, nature of cyber security means it’s difficult to find the time to get on the front foot. It becomes a mend-and-make-do existence, saddled with increasing exposure and responsibility.
It needn’t be like this. Cyber security is one of the highest profile external threats to an organisation. It is a genuine boardroom concern, even if the board don’t understand the nuances. Effective security needs to be embedded across an organisation. It is a key enabler to transformation and growth. There are heavy fines and public censure for those that fall short. A step change cyber security budget is straight forward to justify, and platform-based solutions provide the maturity and management to address cyber security for more effectively.
For an industry with a serious skills shortage, leaders must step forward with a business-led modernisation agenda that will enable cyber security professionals, and their organisations, to take a more strategic approach. And that needs to happen quickly, before the numbers play themselves out.
Darren Thomson is EMEA CTO at Symantec.