Stress and career progression more of a concern to security professionals than cyber-attacks, CIISec survey shows
Amanda Finch of CIISec
London, UK. 25 August 2022 – Cyber security professionals are more worried about day-to-day stress and lack of career progression than suffering a cyber-attack, according to The Chartered Institute of Information Security’s (CIISec) 2021/22 State of the Profession report – the seventh annual survey of the cyber security industry. In the survey of 315 security professionals, a third (32%) of respondents said they are kept awake by job stress, a quarter (25%) by lack of opportunity, and only 22% by their organisation suffering a cyber-attack.
One way to reduce cyber security professionals’ stress, and allow them to focus on projects that would prove their worth and increase opportunities, would be by following established best practices – using simple but effective guidelines to protect organisations against the most common cyber-attacks. But the research reveals organisations have been slow to adopt industry standards. Almost half (49%) do not follow the UK Government’s Cyber Essentials practices, which provide basic best practice; and 20% have formally adopted the NCSC’s “Ten steps to cyber security” guidance.
“Failure to adopt industry standards puts security teams on the back foot when it comes to protecting organisations against cyber-attacks, and only adds to their day-to-day stress,” comments Amanda Finch, CEO of CIISec. “Without investing time and effort into making cyber security professionals’ lives easier, organisations are setting themselves up for failure. People need to be supported in their roles with the right processes in place, the skills to do their jobs effectively, and clear paths to progress. Without this, the industry will soon see burnt-out talent who can’t defend against evolving threats.”
Other key statistics from the report include:
- “People” are still the cybersecurity challenge: 70% of respondents say “people” are the biggest challenge they face in security, compared to technology (17%) and process (13%).
- Cybersecurity market still in boom times: Three quarters (75%) see the market as “growing”, and an even more positive 15% say it is “booming”.
- Pandemic boosts job prospects for many: 33% of respondents say their job prospects have improved because of the pandemic, and only 4.3% say their prospects have worsened.
- Despite booming prospects, individuals face barriers to progression: The majority of respondents have encountered barriers to progression in their careers including a lack of confidence in their own ability (identified by 38%), lack of support or mentoring from organisations (38%), an assumption they lack skills for roles (36%), a feeling of being unwelcome/unaccepted (28%), and a lack of training opportunities (28%).
- Pay, opportunity, and management are crucial to attracting and keeping talent: The top five reasons attracting respondents to security jobs were money/renumeration; opportunity and scope for progression; variety of work; training opportunities; and autonomy. Conversely, the top five reasons respondents left were lack of opportunity; poor renumeration; bad or ineffectual management; insufficient training; and boring or monotonous work.
Lack of diversity remains an issue
CIISec’s report also highlights the progress the industry still needs to make on improving diversity. The vast majority of respondents were male 83% compared to 12% female while a quarter (26%) of cyber security professionals could not say that their organisation offers equal opportunities. Other findings show:
- No programmes to address gender imbalance: 38% of organisations have not implemented development programmes to attract women to join the profession or promote those already in it, and a further 5% have tried but failed.
- Harassment may be going unreported: 21% of respondents couldn’t say that they would feel comfortable raising concerns about harassment whether of themselves or others.
- Despite issues, organisations value diversity: 90% of cyber security professionals feel their organisation values people of all cultures and backgrounds.
“Without diversity and inclusion, the industry will stagnate and be left unable to keep up with complex cyber threats,” continues Finch. “By understanding and highlighting the variety of roles within cyber security, the industry can start to attract a diverse range of people. From forensics to threat intelligent to researchers, there are opportunities out there for everyone. At the same time, the industry doesn’t only need to attract people from diverse backgrounds, but also create a culture that is inclusive. Cyber security can no longer be viewed as a ‘boys only club’ where technical skills are valued above all. We need to move away from this and keep creating a culture where everyone can thrive, feel valued and be accepted.”
Comment on this article below or via Twitter @IoTGN