Cybersecurity professionals are outgunned and burned out

Nearly half (48 percent total) of cybersecurity leaders across France, Germany and the UK believe their teams are falling behind in the skills race against would-be cyber criminals, according to Symantec.

This has put increased pressure on an already overloaded profession, with nearly two thirds of cybersecurity professionals considering quitting their jobs (64 percent total) or leaving the industry entirely (63 percent total).

“It is disturbing enough to know the barbarians are at the gate, without knowing the people attempting to defend you are outgunned and burned out. Yet, this is exactly what this new data reveals,” comments Darren Thomson, EMEA CTO, Symantec.

“It is hard to overstate the threat posed by an enemy that is learning faster than you are. If organisations value the security of their data and their finances, they must heed this warning and make strategic investments to address this emerging skills gap.”

Surveying 3,045 cybersecurity decision makers across France, Germany and the UK, the ‘High Alert’ study was commissioned by Symantec and conducted by Dr. Chris Brauer and his team at Goldsmiths, University of London.

The findings reveal a dire situation that is likely to become worse, before it gets better, as a vicious cycle of overload and stress is hampering professional skills development and decision making.

Just under half (44 percent total, 38 percent UK) of cybersecurity professionals say their teams lack the necessary skills to combat the threats their organisations face. Over a third (37 percent total, 23 percent UK) report their teams are simply not able to manage the sheer scale of the current workloads.

“I see a huge risk of burnout in today’s industry. Many people are operating at their limit,” says Dr Steve Purser, Head of Core Operations for ENISA and a former financial sector CISO. “When you look at the hours on top of the day job, you don’t have to be a rocket scientist to know that it’s going to take its toll.”

Falling further behind

As cybersecurity teams struggle to keep pace with would-be attackers and the speed of technological change continues to accelerate, the cybersecurity talent gap will only grow larger as organisations’ defences grow weaker. The research shows that:

• 46 percent (39 percent UK) of cybersecurity professionals report their teams are too busy to keep up with necessary skill development
• 45 percent (37 percent UK) say technological change is happening too quickly for them and their teams to adapt
• Almost half (48 percent total, 46 percent UK) say attackers now have ‘unprecedented’ resources and support from ‘bad actors’, such as organised crime and state-sponsored hackers

“Cybersecurity professionals are first responders, locked into a constant arms race with attackers – where talent and skill are the most important weapons,” comments Dr. Chris Brauer, Director of Innovation, Goldsmiths, University of London.

“The vast majority find this battle of wits an exciting and deeply intellectual challenge. But, this demanding work comes with high stakes and is fought at a frenetic pace with little support. Add to this the relentless volume of alerts and more mundane tasks, and the job can quickly turn toxic.

“Highly stressed workers are far more likely to be disengaged and ultimately quit. In an industry already plagued by a skills shortage, this is a significant risk to businesses.”

Taking its toll

The strain being placed on an already limited pool of cyber talent is negatively impacting the security of enterprises and the quality of threat analysis:

• Three in four (78 percent total, 67 percent UK) of cybersecurity professionals find themselves underestimating what is required to properly deal with a cybersecurity threat or incident
• The same number (77 percent total, 67 percent UK) find themselves rushing when assessing a threat
• Over two thirds (69 percent total, 55 percent UK) of respondents report feeling responsible for a cybersecurity incident that could have been avoided

“We’re not going to be able to recruit our way out of the talent gap. A more systemic change has to take place,” says Darren Thomson, EMEA CTO, Symantec.

“The cybersecurity landscape has changed dramatically since today’s CISOs entered the industry. With thousands of threat events happening every second and the complexity of the IT estate growing exponentially, simply keeping pace is a challenge.”

“Defensive strategies need to change. Machine augmentation is mission critical, but security leaders must ensure that these tools don’t become part of the problem. Taking steps to reduce the complexity of cybersecurity, use of cloud-delivered security, increased automation and smart use of managed services can all help to reduce overload and improve retention.”