The cybersecurity industry has a major talent retention problem.
According to a recent white paper published by Endgame, a cybersecurity operations platform, the average professional leaves the sector after only three years on the job.
In their survey of 3,000 cybersecurity professionals in a broad range of industries, researchers concluded that a lack of defined career paths, high burnout and stress rates, plus the industry culture more broadly were top reasons for considering a career change.
What’s causing cybersecurity pros to leave?
For those considering leaving the industry, 40 per cent cited burnout as the top reason. Stress was cited amongst 30 per cent of respondents, and then a lack of work/life balance, which inspired another 28 per cent to consider a change. Furthermore, the study found that 70 per cent of industry professionals work 41 to 60 hours per week, and that 10 per cent actually work more than 60.
“From a security perspective, there’s a lot of unneeded pressure within the industry as a whole,” explained James Morris, Director of ICT Sales and Services for Epic, a Bell MTS company.
“They get bored, typically they’re without any kind of succession plan and they’re stuck dealing with the lower-end fruit — like ticketing and sustained, repetitive tasks.”
Can the issues be addressed?
After spending over 20 years as a cybersecurity professional, Morris says he’s learned a number of techniques for improving the working conditions for his team of 35.
While Morris says AI will help alleviate the boredom by automating many of the more repetitive tasks, there are a number of steps that employees, managers and even the government can take to help improve conditions in the security industry.
Improvement #1: Start succession planning years in advance
The Endgame study ranked “ill-defined career path” as a top-three factor that could have a greater impact on retention, but Morris explains that in the security industry it’s a lot easier said than done.
“The problem is that you’ve got nobody to bring into the lower ranks,” he said. “Typically when you have a succession plan you have another junior staffer coming in the door to replace them, but when you’re talking about security, it’s a very advanced industry. You’ve got to have a significant amount of deep-in-the-weeds IT knowledge.”
According to Morris, a lack of qualified junior talent makes it hard to advance existing staff members, which is why he suggests that managers begin succession planning 18 to 24 months in advance.
Improvement #2: Encourage K-12 tech education
Morris says that one way to significantly alleviate the stresses of the industry is to encourage more interest in a career in cybersecurity at a younger age.
Specifically, he encourages more exposure to the industry amongst kindergarten to grade 12 students, who currently get little, if any. Morris explains that the lack of qualified junior candidates puts additional stress on the upper ranks of the industry and ultimately perpetuates its struggles with succession planning.
“We don’t start early enough in the educational cycle, in my mind, to get these kids ready,” said Morris, adding that there are some programs already working to address the issue. “They started doing this in Manitoba with the Cyber Defence Challenge. They actually start these kids in grades five and six, and it gets them excited and knowledgeable about it early.”
Improvement #3: Invest in your people
High turnover rates in the industry can lead some employers to be cautious when investing in the growth and advancement of their staff, but Morris believes this sort of mentorship is vital in encouraging staffers to stick around.
“This is not just a whole bunch of people sitting at desks looking at random things,” he said, explaining that the sophistication in the technology should be equalled in the continual professional development of the staff.
“There have to be investments in technology, training and in the individuals from a career path perspective.”
Improvement #4: Support all-star employees any way possible
After spending more than two decades in the industry, Morris has found that the brunt of the work often falls to one or two all-star employees.
“We always rely on those one or two people — the two smartest ones in the room,” he said. Having been that guy in the past, Morris explains that the added pressure and responsibility provides a perfect storm for burnout.
“It’s a matter of ensuring that we’re not just relying on the one person,” he said. “It’s really a very strong succession plan, a very strong training plan, knowledge transfer of information and involving other people throughout.”
Improvement #5: Don’t let the stress build
Overall, Morris says that the most important lesson he’s learned as a manager of IT security staff is to know when to relieve the stress valve before any real damage is done. He explains that it’s up to employers and managers to keep a close eye on their staff and ensure that none are approaching burnout levels of stress.
“If I notice one member of my team is getting burned out, I pull them in and throw them on vacation for two weeks,” he said. “If it causes a little extra stress, the rest of the team will help pick it up.” It’s that foresight that can help mitigate burnout and create a better team environment for everyone.