Nearly half of cybersecurity leaders will change jobs by 2025 due to multiple work-related stressors. Of that near 50%, 25% will leave the field entirely, according to recent research from Gartner.
There are a lot of widely reported reasons for the exodus. Many IT cybersecurity leaders have reported struggling with new practices to combat evolving threats, with 27% admitting that they spend too much time firefighting rather than focusing on strategic issues, noted a recent survey by cybersecurity technology company BlackFog.
The BlackFog survey also showed that recruitment, retention and work-life balance are a large part of the “get me the h*ll out of here” mentality cybersecurity professionals are suffering from.
Plus, their own co-workers are thwarting their efforts at keeping their company safe. The Gartner survey shows that 90% of employees who admitted undertaking a range of unsecure actions during their work activities, knew that their actions would increase risks to the organization and yet undertook the actions anyway.
(Ed. note: This begs the question, how can businesses recruit and retain cybersecurity experts if their even own co-workers won’t behave?)
Push the cybersecurity message
Both the C-suite and boards need to push the cybersecurity message more and “stop treating cybersecurity as a nice thing to have,” said Gartner’s Lead Analyst Craig Porter, on a webinar in July.
Porter said, “cybersecurity is not optional anymore… [we must] build governance structures that foster effective autonomous risk decision making.”
In plain English, this means CISOs should prioritize culture shifts to educate employees on making smart security decisions and use human error to gauge cybersecurity fatigue within the organization.
“A dedicated committee overseen by a board member is likely to increase visibility of cyber-related risk at the business level. While CISOs should experience more scrutiny with these higher expectations, they're also likely to receive more support and resources,” said Porter on the webinar.
“CISOs must expect conversations to shift away from performance- and health-related discussions to risk-oriented and value-driven exercises,” he told Silverlinings via a follow-up email. “For cybersecurity leaders to be recognized as business partners like their executive peers, cybersecurity leaders need to acknowledge the board and enterprise risk appetite.”
As of February 2023, there were close to 756,000 cybersecurity job openings in the U.S. alone. To make any impact on the exodus, the rules of engagement must change.
“While collaboration, work/life balance, and recognition are elements of a positive work culture,” he said. “Competitive compensation packages, remote/flexible work offerings, career development opportunities that focus on training, mentorship, upskilling, reskilling, and advancement [will help] keep leaders engaged.”
Porter also emphasized the fact that, hey, CISOs need self-care too in order to be effective leaders — “If you’re burnt out, it increases the risk that your team gets burnt out, which creates a slippery slope for your organization.”