According to ISC2’s 2023 Cybersecurity Workforce Study, the global cyber security workforce has reached record levels. The organisation, the world’s leading member association for cyber security professionals, celebrated the news but also suggested it remains in the shadow of unfulfilled demand.
“In 2022, the gap between supply and demand was estimated at 3.4 million; a year later this reached 4 million”, leaving the profession “struggling with the seeming paradox that it is employing an ever-greater number of people in cyber security roles but at a pace that never quite catches up with the underlying need in terms of numbers or specific skills.”
Reasons for the gap are multifaceted, ranging from an evolving threat landscape demanding more employees and new skills, to macroeconomic factors leading to layoffs and hiring freezes. But one seemingly controllable factor, which crops up repeatedly, is stress and burnout and its impact on those already within the industry.
A survey by ClubCISO recently found that only 11% of CISOs believe their organisations’ efforts to combat stress are impactful. For a profession already so squeezed for talent, and when 85% are currently anticipating leaving their roles due to burnout, organisations must do more to ensure the wellbeing of their existing workforce. Not doing so has the potential to significantly undermine organisational security even further.
Why is stress and burnout still rife in cyber security?
The relentless growth of the threat landscape, characterised by a growing number of devices and data points and an increasing number of threat actors, is so widely recognised now that there really is no excuse for not taking targeted action on wellbeing.
The number of data points security professionals now have responsibility for monitoring and managing is eye-wateringly high. And with the proliferation of the cloud and intelligent edge deployments, this is only set to increase. Whilst a number of technology solutions have been developed to improve real-time detection and automate threat response, the cyber security sector, and those within it, still operate on an ‘always on’ basis, often responding to alerts out of hours, over weekends, and on public holidays too.
Coupled with the ‘always on’ nature of the role, the consequences of material breach are now so high. IBM reported that the global average data breach cost in 2023 was $4.45 million, a 15% increase over 3 years. And with upcoming regulations such as NIS2 also coming with significant financial penalties for non-compliance at the time of a breach, cyber professionals’ ability to mitigate security risk can often make or break businesses.
Making cyber security everyone’s problem
Telstra recently conducted a study which canvassed the views of 301 senior technology decision-makers – 151 who had suffered a data breach and 150 who had not – and found that of the respondents who had not suffered a material breach, the most common characteristic used to describe the organisations’ culture was “collaborative”.
This should come as no surprise. Organisations encouraging and facilitating information sharing and knowledge transfer across functions and departments are typically more united in achieving their goals. The increased collaboration usually fosters more trust between teams, facilitating further knowledge sharing. This virtuous cycle can be hugely beneficial for organisational cyber security, where the actions of each individual employee contribute to overall resilience.
A strong collaborative culture can enhance resilience against cyber threats while reducing the stress burdens CISOs and security professionals might face. However, this is much easier said than done and doesn’t just mean more awareness and education. CISOs need to design ‘influence’ programmes that elicit specific behavioural responses when employees confront a security challenge to embed lasting change.
Awareness vs influence
Fostering a mindset of cybersecurity as a shared responsibility, with all employees being accountable for protecting an organisation’s assets and data is the end goal. Ultimately, all employees need to know is how best to respond to a specific challenge (and be motivated to do it), i.e., what they should do in their roles when confronted with a potential security incident. This is where many internal security awareness programs miss the mark; they’ve done a good job at speaking to the importance of cybersecurity resilience but haven’t helped employees internalise this.
To truly embed a security culture and solve the human factor, awareness programmes must now be recast as influence programmes.
There are a range of tactics CISOs could consider, but fundamentally those delivering people-centric security programmes need to consider the following factors when working to embed a positive security culture:
Compliance
Which actions or behaviours have negative consequences that we must design compliance policies around? This could be using personal devices for work-related activity, not changing passwords regularly, or using untested/unverified tools on company networks.
Brand and Reputation
How is advice and guidance coming across internally? Are we telling an engaging and consistent story? Does the message need to be delivered by someone more senior? From a different department? Security teams need to consider the message and who is delivering it to influence behaviour.
Internalisation
People will change their behaviour if they internalise and believe in your words. For example, highlighting how security hygiene is increasingly important in other areas of life might make these behaviours more relevant. Once they do, the behaviour is intrinsically valuable/rewarding.
Fortifying cyber resilience
With the global cyber security workforce facing an ever-widening gap, the urgency to combat stress and burnout among professionals is critical. Thankfully, the importance of a positive security culture is well recognised within the industry, and teams are dedicating a good level of focus to delivering people-centric programmes.
However, the shift from awareness to lasting change is no easy feat. To do this, CISOs will have to polish a new set of skills in communications and behavioural change or risk overwhelming their existing staff as the threat landscape grows.
Rob Robinson is Head of Telstra Purple EMEA
Newsletter
Share
