The talent crisis in cyber requires a common language, writes Adam Vincent, Co-Founder and CEO of ThreatConnect, a threat intelligence platform.
Last month the ICO reported a ‘steady and significant’ increase in cyber attacks against UK firms over the past two years. This is proof that the threat of cyber attacks on UK organisations is ever-present.
Against the backdrop of a pandemic that saw cybersecurity teams face new challenges, cyber experts are now inundated with problems. Our recent research unveiled that over a third of SecOps workers reported being ‘very’ stressed in their current job, the most common causes being heavy workloads, long hours and tight deadlines.
This sentiment is so widespread that over a third of security managers are considering quitting their jobs in the next six months. A quarter of IT directors say that they too are considering leaving their current role. Senior decision-makers echo this, reporting an average cybersecurity turnover rate of 20 per cent, with two in three people seeing a notable increase year on year.
Cyber burnout won’t be tolerated
The increased cyber threat impacts SecOps employees personally with stress resulting in fatigue, insomnia, headaches, depression, and anxiety. The cost of cyber-stress is a human issue and a massive organisational risk. Recruiting and retaining staff has never been more challenging and holding on to cyber talent must be a priority for organisations that cannot simply replace those who choose to leave. Cyber skills shortages continue to halt hiring; 45% of IT Directors across the UK and US say a lack of skills and qualifications is the most significant barrier to recruitment.
In such a landscape, a candidate’s market, bigger paychecks easily lure disillusioned, overworked employees to competitors. Over a third report offers of higher salaries as the primary reason for moving on while high levels of stress, lifestyle changes and excessive workloads also rate as drivers to quit. In hiring for replacements, organisations find it challenging to meet new, inflated salary expectations and cannot offer the working environments that in-demand experts want; over 30% of employers said working conditions and working patterns were barriers to cybersecurity recruitment.
As the Government’s recent report into the UK’s cyber security skills landscape highlighted, “while salary remains one of the top considerations for job applicants, the working culture can also be a driving factor in people leaving. This includes a lack of career progression and training. It also includes, outside the cyber sector, an organisation’s senior management not valuing cyber security and sustaining a poor cyber security culture.”
Organisations need to do everything they can to hold on to skilled professionals. Supporting and up-skilling existing staff to meet the threat risk is essential, but this must sit alongside maintaining positive working cultures. This starts with equipping SecOps leaders with the tools to prioritise and focus talent where it is most needed. Prioritisation is the foundation of any employee strategy – and cybersecurity is no different. While there are a myriad of potential threats out there, not all organisations face the same threat level from each risk.
Risk quantification
Focusing talent on high-risk threats, determined through sophisticated risk analysis makes sense. It makes sure that the most severe gaps are plugged and ensures the organisation understands the financial ramifications of any given threat. Also, this risk prioritisation approach lets teams know where their energy and time should be expended without depleting their reserves trying to do everything all at once.
Now, the financial analysis that would have taken months, even years, is being delivered in just days, giving SecOps leaders and the wider business a common language. The ability to accurately quantify cyber risks as a specific financial value means SecOps leaders can speak to the CEO, CFO and wider board in terms of actual business impact – meeting them where shared priorities lie.
On the ground, this translates into teams who are supported to work on sustainable responses that concentrate resources to have the biggest impact and make their daily workflow more manageable. Risk quantification is a strategy that supports Security professionals to deliver meaningful work without being overloaded. As the world becomes more connected, the importance of supporting these teams with the right tools to get the job done will also increase.
SecOps experts are not a finite resource, and no salary can compensate for intolerable and unhealthy working conditions that lead to burnout. Risk quantification is a strategy that improves incident response efficiency and effectiveness and make for happier, more productive defenders who repay the investment in them with loyalty – and in the current climate, that loyalty is invaluable.
