One could assume that given the chronic shortage of cybersecurity professionals that organizations large and small face there would be a maniacal focus on retaining individuals with these critical skills. But a survey of over 9,000 IT security professionals published this week by Mondo, a staffing agency, a full 60 percent of respondents reports they are looking to leave their job.
A lack of growth opportunities and job satisfaction are tied as the top reasons to leave a job, followed by unhealthy work environment, lack of IT security prioritization from C-level or upper management, unclear job expectations, and lack of mentorship.
'In an ideal world, there would be a two-track path for advancement that would allow #cybersecurity professionals to earn more money without having to move into the ranks of management.' ~ @mvizardClick To Tweet
Now those issues are always a factor when it comes to retaining any employee, and given the fact that recruiters are constantly trying to lure cybersecurity professionals with higher paying job offers, it’s safe to assume the phrase “growth opportunities” in part at least is a euphemism for money. It’s hard in most organizations to get a decent raise without some level of promotion being involved. But there are only so many senior manager spots available, and not every cybersecurity professional, no matter how talented, is cut out to be a manager. In an ideal world, there would be a two-track path for advancement that would allow cybersecurity professionals to earn more money without having to move into the ranks of management. But not enough organizations are that enlightened.
The survey finds that when it comes to retaining cybersecurity talent issues such as work-life balance (67%), having security concerns taken seriously (55%), and increased sponsorship of certifications/courses (48%), increased investment in emerging tech (34%) and CISO leadership/defined ownership of security needs (31%) are all significant factors when it comes time to convince cybersecurity professionals to stay longer in a job.'The cost of a single #cybersecurity breach often exceeds what a small-to-medium business (SMB) invests in cybersecurity on an annual basis.' ~@mvizard @Mondo_agents Click To Tweet
Of course, not every organization has leaders that take cybersecurity seriously enough to appoint of CISO or, for that matter, invests the right amount of money in cybersecurity. Smaller companies are always going to have budget limitations. The sad fact is that the cost of a single cybersecurity breach often exceeds what a small-to-medium business (SMB) invests in cybersecurity on an annual basis.Cybersecuriy professionals face a constant stream of new threats, plus ongoing risky behaviors of coworkers. The stress is taking its toll on employees. @mvizardClick To Tweet
Cybersecurity professionals generally want the same things that most employees crave. The difference is the amount of inherent stress that comes with the job. Not only is there a constant stream of threats that need to be thwarted, but employees are also constantly engaging in behaviors that make it more challenging than it necessarily should be for cybersecurity professionals to succeed. A cybersecurity breach may not be the fault of the cybersecurity team, but every security breach takes its toll on morale.
Most of all, the most skilled cybersecurity professionals want to work for organizations that value their efforts. Unfortunately, 84% of IT security decision-makers that participated in the survey admitted their company could be more secure. The rank and file cybersecurity professionals participating in the survey ranked information security, network/infrastructure security, application security, and cloud security as being the areas of most concern going into 2019. The number of organizations that have all four of those areas of cybersecurity under control are very few and far between.
Of course, that’s also why many cybersecurity professionals ultimately decide to stay where they are. The next organization they may work for isn’t likely to pay any more attention to cybersecurity than the one they work for now, and the cybersecurity weaknesses of that organization amount to at the very least being the devil they already know best.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.