ESG and the Information Systems Security Association (ISSA) just published a third annual research report titled, The Life and Times of Cybersecurity Professionals. (See the latest version here.)
This year, we asked respondents to identify the most stressful aspects of a cybersecurity job/career. Here are the results:
- 40% of respondents said that one of the most stressful aspects of a cybersecurity career is keeping up with the security needs of new IT initiatives. So, the IT team is busy moving workloads to the cloud, deploying IoT devices, or writing new mobile applications, driven by new business initiatives. Unfortunately, the cybersecurity team often lacks the appropriate technical knowledge and must play catch up on understanding risks associated with changing business processes. This is a risky situation.
- 39% of respondents said that one of the most stressful aspects of a cybersecurity career is finding out about IT initiatives/projects that were started by other teams within the organization with no security oversight. Okay, take the previous scenario around keeping up with IT initiatives and throw in the element of surprise. Think about when a marketing executive announces, “We’ve decided to share sensitive customer data with a third-party that specializes in customer profiling and analysis. We started this project three months ago.” Now the CISO must figure out how to safeguard the data after the fact. Pretty darn stressful.
- 38% of respondents said that one of the most stressful aspects of a cybersecurity career is trying to get end-users to understand cybersecurity risks and change their behavior accordingly. Yes, most large organizations do security awareness training, but it’s treated as a check-box exercise only. Since people are a weak link in the security chain, most organizations don’t push cybersecurity education far enough, leading to a stressful work environment and big cybersecurity problems.
- 37% of respondents said that one of the most stressful aspects of a cybersecurity career is trying to get the business to better understand cyber-risks. I have good news and bad news here: The good news is that we are on the cusp of a new class of proactive risk management tools from vendors like Kenna Security, Rapid7, RiskLens, RiskSense, Tenable Networks, and others that can monitor and report on cyber-risk in real time. This class of technology will help CISOs and business executives make data-driven and timely risk mitigation decisions. The bad news is that too many companies still view cybersecurity as a necessary evil and really don’t care to better understand cyber-risk. Cybersecurity professionals working at this kind of organization should address job stress by simply moving on.
- 36% of respondents said that one of the most stressful aspects of a cybersecurity career is trying to keep up with the growing workload. There’s that pesky cybersecurity skills shortage again. Certainly, there are things that can be done here (technology integration, process automation, and managed services come to mind), but this is a societal issue that the public and private sector must deal with collectively.
The latest version of the ESG/ISSA research report is available for free download here. Your feedback is most welcome.