The cybersecurity unemployment rate hovers around 0%. And while zero unemployment may seem like a good news story, it means two things – stress for employers and burnout for employees. According to the “State of Pentesting 2022: How Labor Shortages are Impacting Cybersecurity & Developer Professionals,” from software development firm Cobalt, the lack of qualified individuals has become the top problem facing security professionals.
The shortage hits across the tech and cybersecurity field, including a significant shortage of penetration testers (pen testers). The answer may be in reskilling – right now there may be more professionals out there willing to do the work, they just need to adapt their current skills accordingly.
“Excellence as a cybersecurity practitioner, particularly in pen testing, draws on cognitive abilities such as visual-spatial working memory, anomaly detection, and rule induction,” said Doug Britton, CEO at cybersecurity provider Haystack Solutions.
“Our research has shown that these abilities flourish in a spectrum of the population that is more than large enough to satisfy the need,” Britton told ClearanceJobs. “Until recently, the problem has been divining ‘who’ can learn the trade. We can close the gap, economically, by looking at populations that aren’t at the typical recruiting hot spots, finding those with the highest potential for pen testing, secure design, and other roles, and rapidly spinning them up. By focusing on those with the cognitive potential, we stop gambling with training money and start methodically building the workforce.”
Worker Burnout Making It Worse
While retraining can help, it won’t address another issue that the Cobalt also noted – worker burnout. Of the 602 security and development professionals surveyed, 54% said they currently want to quit their jobs due to the overwhelming amount of responsibilities. The workforce shortages within their departments have only made the situation worse. Upwards of 90% of those surveyed also said that because of the talent deficiency they are struggling to keep up with the work assigned to them.
In other words, those working may want to quit because there isn’t enough help. In total, 45% of survey respondents said their department is currently experiencing a shortage of employees.
“Part of the problem with burnout in cybersecurity is just how daunting it is to keep up with the latest attacks and vulnerabilities, and this affects both the red and blue teams,” explained Chris Clements, VP of Solutions Architecture at cybersecurity firm Cerberus Sentinel.
“For either team to understand new research requires understanding at least the basics of the underlying technology affected,” Clements told ClearanceJobs. “New vulnerability in a database product? Better brush up on your SQL. Attackers concealing that they’ve compromised a user’s mailbox with auto-delete rules? Time to learn how server-side mail rules work in your email platform. The list of different things is overwhelming and grows every day. Worse, when these issues pop up it’s often an urgent situation if not an outright emergency. It’s hard to imagine a condition that’s more disposed for burnout.”
Cybersecurity workers simply have too much on their plates.
“Companies are always searching for what I call a ‘Jack of all trades and a master of all,'” warned Tom Garrubba, VP at cybersecurity researchers Shared Assessments. “But even the most talented and experienced cybersecurity professionals cannot cover all the bases.”
How to Lessen the Burnout
The easy answer to the problem would be to hire more people, which comes back to Britton’s suggestion to increase training opportunities. But another solution would be to better manage current employees so current teams don’t burnout.
“First and foremost, make sure that responsibilities are well defined and reasonable,” Clements added. It’s simply not possible for any one person to be an expert in everything so don’t make that an expectation. A close second is resources to do the job effectively, this is compensation yes, but also tools and training to ensure the teams are set up for success. After that it’s managing workloads, both in the sense of total hours required to be effective but also in the type of work itself. Staring at a screen watching logs roll by for eight hours a day five days a week can be mind-numbing. Try to mix the fun parts with the less pleasant.”
Companies also need to have workers play to their strengths, and that can include assigning different responsibilities to different workers accordingly.
“Companies should consider managing security talent much like the way a sports team is managed; there needs to be enough talent and ‘depth’ on the bench,” Garrubba told ClearanceJobs. “You need to have depth and balance on your security bench along with the right amount of members to ‘play the game’ effectively. By employing such a methodology can greatly decrease the burnout rate amongst cybersecurity professionals and allow them to focus on the particular item(s) they’re best at. This also has them focused on continuous learning and sharpening their skill sets and, when time permits, to show others what they’ve learned and can do to broaden the depth of the team.”
There also needs to be consideration in how technology can be best leveraged to aid today’s overworked employees.
“Technology can be a friend with the automation of timely detection of anomalies and proactive countermeasures to secure the environment, and/or provide relevant information for a security pro to conduct further investigation,” suggested Nasser Fattah, North America steering committee chair at Shared Assessments.
“If an organization is being attacked, security pros do not have the time or luxury to do effective analysis and countermeasures if there is a burdensome amount of administrative overhead that needs to first take place,” added Fattah. “On this note, though not a panacea, SOAR (security orchestration and automation response) is a type of technology that can greatly assist security professionals with performing triage and upfront analysis, as well as helping them to take appropriate countermeasures, permitting security professionals to focus on more complicated security risks.”