A new report says 65% of cybersecurity and IT workers are considering quitting their jobs. And, a chief information security officer (CISO) stays in their job, on average, for a much shorter period than a chief financial officer (CFO) or a chief executive officer (CEO). This is despite a talent shortage that sees CISO salaries and benefits totalling up to $6.5 million in some parts of the US. The reason for high turnover in cybersecurity roles could be stress, part of the solution may be a culture of cybersecurity.
CNBC reported on Friday on the findings of a recent Nominet UK survey which found the average tenure of a CISO is 18-24 months whereas the average tenure of a CFO is 6.2 years. For a CEO it’s 8.4 years. CISOs cite stress and job urgency as their reasons for leaving a role.
The report points to a Ponemon Institute study that concluded that 65% of IT and cybersecurity professionals consider resigning because of burnout.
Cybersecurity salaries and rewards can be great
A Bloomberg article in August 2019 titled “Cybersecurity Pros Name Their Price as Hacker Attacks Swell” summarised a few of the huge salaries available to CISOs.
One of America’s largest companies paid a $650,000 salary to its 2012 CISO hire. In 2019 it had to pay $2.5 million for the very same position.
IT recruiters Caldwell Partners, Matt Comyns, says “it’s a full-on war for cyber talent,” and that “everyone’s throwing money at this.” Comyns says firms on the West Coast of the US can pay as much as $6.5 million in salary and stock rewards for CISOs.
CISOs are able to negotiate for better deals, with their senior CEOs often giving greater benefits to retain these security executives as their own jobs may be on the line if an expensive cyberattack occurs.
In March 2019 CNBC cited non-profit security organisation (ISC) figures of 2.93 million cybersecurity vacancies globally.
The pressure is on for cybersecurity executives and CISOs
In just the first half of 2018 data breaches totalled four billion records. IBM and the Ponemon Institute put the cost of an average data breach at $3.86 million with larger scale breaches costing up to $350 million for the company affected.
Jon Oltsik, a senior analyst at IT research firm Enterprise Strategy Group said earlier this year that trained cybersecurity staff are essential to prevent cyberattacks and added:
“I always say that cybersecurity professionals are like physicians, in that they have to spend ample time studying the latest research and threat intelligence.”
Years ago, general IT staff used to deal with cybersecurity problems. The sheer growth of cyberthreats and the implications of cyberattacks to future business success mean that a whole team of cybersecurity professionals following a defined cybersecurity strategy is often needed today. Even smaller firms need someone in charge of cybersecurity and/or data privacy to ensure sufficient focus on the issue. These factors are driving a shortage of cybersecurity talent. Oltsik is also quoted by CNBC as outlining another issue:
“When the cybersecurity team is busy putting out fires, they don’t have enough time to develop training courses, work with business units, or educate the workforce.”
Another recent study found 77% of UK workers have not received cybersecurity training, despite individual employees being a critical last line of defence against cyberattacks enacted via phishing emails.
According to IT Governance data breaches in 2019 could have affected over 10 billion records. The latest 2019 cybercrime report from Europol, published last week, says cybercrime is becoming more bold, increasingly targeting companies and that ransomware is still the most pressing issue.
A culture of cyber security could help IT employees fight cybercrime and reduce stress
CNBC’s recent news article was penned by Stephen Boyer, CTO of BitSight and a member of the CNBC Technology Executive Council. It mentions a recent high-profile data breach where it was suggested the CISO clashed with employees, leading to high turnover in the cybersecurity team and potentially contributing to the breach.
Boyer says that cyber culture is one key to cybersecurity and CISO success, writing:
“Strong CISO candidates will demonstrate the ability to find, hire and retain the right people to execute on security strategy and create a culture in which employees are trusted and empowered security practitioners.”
Cybersecurity leaders must demonstrate management skills in the same way that CEOs do, as well as executing cybersecurity processes. Cybersecurity teams as well as their CISOs must be motivated.
For a true culture of cybersecurity, not only do CEOs need to empower and reward their security personnel but every non-cybersecurity employee should have complete buy-in to corporate cybersecurity. Every part of a business should have some cybercrime awareness and thus added protection from cybercrime when combined with cybersecurity teams and systems. Cross-company security awareness training can help to achieve this.
Engage your staff with scenario-based security awareness training or “In-the-Moment” training.