Cyber security people are more worried about day-to-day stress and lack of career progression than suffering a cyber-attack. That is according to the Chartered Institute of Information Security’s (CIISec) latest ‘State of the Profession’ report. It’s the seventh annual survey of the cyber industry. In the survey of 315 people, a third (32pc) of respondents said they are kept awake by job stress, a quarter (25pc) by lack of opportunity, and only 22pc by their organisation suffering a cyber-attack.
One way to reduce cyber stress – a topic in the September print edition of Professional Security Magazine – would be by following best practices – using simple but effective guidelines to protect organisations against the most common cyber-attacks, says CIISec. But the chartered body’s findings suggest organisations have been slow to adopt industry standards. Almost half (49pc) do not follow the UK Government’s Cyber Essentials, a scheme which provides basic best practice; and 20pc have formally adopted the UK official National Cyber Security Centre (NCSC) “Ten steps to cyber security” guidance.
Amanda Finch, CEO of CIISec said: “Failure to adopt industry standards puts security teams on the back foot when it comes to protecting organisations against cyber-attacks, and only adds to their day-to-day stress. Without investing time and effort into making cyber security professionals’ lives easier, organisations are setting themselves up for failure. People need to be supported in their roles – with the right processes in place, the skills to do their jobs effectively, and clear paths to progress. Without this, the industry will soon see burnt-out talent who can’t defend against evolving threats.”
CIISec is holding its annual conference, CIISec Live, at Edinburgh Napier University, on September 7. Speakers there include David Ferbrache, chair of the National Cyber Resilience Advisory Board for Scotland; Mary Haigh, CISO for BAE plc; Rory Alsop, head of information security and cyber risk at Tesco Bank; Tim Ward, co-founder of security awareness software company Think Cyber Security; CIISec board members Jill Trebilcock and Andy Cobbett; and Prof Bill Buchanan who leads the Blockpass ID Lab at Edinburgh Napier.
Other findings from the report:
– “People” are still the biggest cyber challenge: most, 70pc of respondents say “people” are the biggest challenge they face in security, compared to technology (17pc) and process (13pc).
– the cyber market is still in a boom: three quarters (75pc) see the market as “growing”, and an even more positive 15pc say it is “booming”.
– the covid pandemic boosted job prospects for some: 33pc of respondents say their job prospects have improved because of the pandemic, and only 4.3pc say their prospects have worsened.
– despite those booming prospects, a majority of respondents have encountered barriers to progression in their careers – including a lack of confidence in their own ability (identified by 38pc), lack of support or mentoring from organisations (38pc), an assumption they lack skills for roles (36pc), a feeling of being unwelcome/unaccepted (28pc), and a lack of training opportunities (28pc).
Pay, opportunity, and management are crucial to attracting and keeping talent, it appears; the top five reasons attracting respondents to security jobs were money/renumeration; opportunity and scope for progression; variety of work; training opportunities; and autonomy. Conversely, the top five reasons respondents left were lack of opportunity; poor renumeration; bad or ineffectual management; insufficient training; and boring or monotonous work.
As for diversity, CIISec’s report found the vast majority of respondents were male – 83pc – while a quarter (26pc) could not say that their organisation offers equal opportunities. Some 38pc of organisations have not implemented development programmes to attract women to join the profession or promote those already in it, and a further 5pc have tried but failed. One in five, 21pc of respondents couldn’t say that they would feel comfortable raising concerns about harassment – whether of themselves or others. Yet, organisations value diversity: 90pc of respondents feel their organisation values people of all cultures and backgrounds.
Amanda Finch added: “Without diversity and inclusion, the industry will stagnate and be left unable to keep up with complex cyber threats. By understanding and highlighting the variety of roles within cyber security, the industry can start to attract a diverse range of people. From forensics to threat intelligent to researchers, there are opportunities out there for everyone. At the same time, the industry doesn’t only need to attract people from diverse backgrounds, but also create a culture that is inclusive. Cyber security can no longer be viewed as a ‘boys only club’ where technical skills are valued above all. We need to move away from this and keep creating a culture where everyone can thrive, feel valued and be accepted.”