Security pros fret about stress and promotion over cyber attacks


Cyber security professionals in the UK say they are more worried about quotidian issues than the threat of having to deal with a major cyber incident as they go about their business, according to the latest State of the profession report produced by the Chartered Institute for Information Security (CIISec).

The seventh annual edition of CIISec’s report, which has just been released, reported that 32% of security pros are kept awake by job stress, 25% fret about a lack of opportunity to progress in their careers, but only 22% are most concerned that they might fall victim to a cyber attack.

CIISec’s CEO Amanda Finch said it was clear that steps needed to be taken in a great many instances to reduce stress among security pros and let them focus on projects that would prove their sense of worth and increase the opportunities available to them.

One way of doing so would be to enforce established best practice and security guidelines – the research also showed 49% of respondents employers did not follow the recommended Cyber Essentials practices, and only 20% had formally adopted the National Cyber Security Centre’s (NCSC’s) 10 Steps To Cyber Security guidelines.

“Failure to adopt industry standards puts security teams on the back foot when it comes to protecting organisations against cyber attacks, and only adds to their day-to-day stress,” said Finch.

“Without investing time and effort into making cyber security professionals’ lives easier, organisations are setting themselves up for failure. People need to be supported in their roles – with the right processes in place, the skills to do their jobs effectively, and clear paths to progress. Without this, the industry will soon see burnt-out talent who can’t defend against evolving threats.”

The report also found the cyber security market in the UK is in rude health, with 75% of respondents saying the market was growing and 15% booming, with the pandemic having improved job prospects for many respondents.

However challenges and barriers remain. A huge number, 70%, of respondents, said that people were their biggest challenge to effective security, compared to technology (17%) and processes (13%), highlighting the continued need to foster cultural change as much as technical innovation.

On a more personal note, a majority of respondents said they had seen barriers to career progression, including a lack of self-confidence, a lack of support or mentoring from their employers, an assumption they lack the skills needed to progress, feelings of being unwelcome or unaccepted in their workplaces, and a lack of training opportunities.

Security pros overwhelmingly said that better pay, opportunity for progression, more variety of work and more autonomy in it and better training, would all help attract and retain talent.

Elsewhere, CIISec also reported that the cyber profession still has a very long way to go when it comes to diversity and inclusion. The vast majority of respondents to its study were men – 83% compared to 12% women – and genuine equal opportunities in cyber still seem far away.

Among other findings in this regard, CIISec reported that 36% of organisations had not implemented any kind of plan to address the gender imbalance in their security teams, while 5% had tried, found it difficult and given up.

Even more concerning, CIISec found a worrying unwillingness among cyber pros to address issues around bullying or harassment in the sector. Over a fifth of respondents could not say that they would feel comfortable raising concerns in this regards.

“Without diversity and inclusion, the industry will stagnate and be left unable to keep up with complex cyber threats,” said Finch.

“By understanding and highlighting the variety of roles within cyber security, the industry can start to attract a diverse range of people. From forensics to threat intelligent to researchers, there are opportunities out there for everyone.

“At the same time, the industry doesn’t only need to attract people from diverse backgrounds, but also create a culture that is inclusive. Cyber security can no longer be viewed as a boys only club where technical skills are valued above all. We need to move away from this and keep creating a culture where everyone can thrive, feel valued and be accepted.”


Leave a Reply

Your email address will not be published. Required fields are marked *