Burn baby burn, infosec inferno: Just 21% of security pros haven't considered quitting their current job Almost one in five infosec pros have quit a job due to overwork or burnout caused by the constant pressure of keeping things safe and doing so without the resources to counter ever-evolving threats. This is the gloomy picture painted by a report from the Chartered Institute of Information Security (CIISec – previously known as …
Since I'm interviewing candidates very regularly for a variety of different infosec roles as a part of my job, I've found that one reason for burnout is the difficulty in finding competent staff. My employer has no incentive to fail to find good candidates, but so few of the candidates sent my way am I able to give a thumbs up for more than a tier-1 secops team staff -- the kind that does nothing but pre-written instructions developed by someone else.
I've seen roles go unfilled for a year or longer just trying to find a competent low to mid level security analyst. Add in any middle to high level skill and expect more of a senior technical security role, and the time can increase even more.
Easier to burn out when people leave and are not replaced, not because management won't let them be replaced, but because no one can find anyone they feel has the skills to be worth the cost of the chair they sit in.
Are you developing your people? It seems like the trend is to hire younger workers and develop them in house rather than look to the market for these skills.
Don't take it as a criticism but it's beginning to feel like even the younger workers aren't interested in the things we need them to be interested in and even getting someone that's promising seems to be getting more difficult.
Keep in mind that resumes get screened for experience and not what they learned from that experience.
To be successful you need someone who is intelligent and motivated because you can train them, assuming you have a training and mentoring program set up.
Of course this requires management buy-in (and budget).
Before you can find and eventually become capable of using competent staff, there is one far more important element to consider, competent management.
If your N+1 asks for a certain established level of security but your N+2 is asking for another then the only guaranteed outcome is failure.
I think we all know the scenario whereby the call comes in from the Big Boss about how urgent this latest document is for the company and that he must be given access to X, Y or Z immediately, thereby knocking security back to nothing.
There is one absolutely critical axiom of security work.
If someone in security is not given sufficient resources to do the work, that means they're merely there to take the blame for when things go wrong. I've seen it enough, and trust me, once you have that reputation you won't be able to get anyone actually competent to come even near you.
As for the rest, if you're looking for a competent manager that can actually keep the people you hire, let me know :).
Mmccul is not getting competent staff.
Three things:
1. Paying more will get you a greater choice as will recruiting better
2. A technical job should have testing at the application stage to weed out unsuitable applicants before they waste your time and (ideally) more detailed in-person tests later on to weed out the cheats and identify the truly capable.
3. The interview probably fails the best people. The sort of person that has great attention to detail and an enthusiasm for the nitty-gritty of IT systems is probably not going to interview well... but a BS merchant will come across great!
My organisation puts greatest weight on the interview. We're suffering massively because of it.
Or you could do what a major company has done in this country; outsource all your IT security (and indeed all your IT support too) because that is the best way to ensure that everything is done properly and cheaply!
Then when you get smashed with not one but two ransomware attacks in a six month period because well-known security issues weren't patched, you can reassure yourself that it was at least cheap.
Except for all your clients buggering off to safer harbours, so actually it didn't turn out all that cheap either.
Oops! CIO resignations all round!
This post has been deleted by its author
This post has been deleted by its author
Having retired from security consultancy I can say that I really found the pressure of project managers and bid managers wanting to reduce the security requirements for the systems hard going at times. Security was basically seen as something to be reduced to save costs and win the bid, even when that would mean breaching HMG requirements as stated by the then GCHQ/CESG. Just getting a first penetration test of a system that had been running online for over 10 years was a struggle, as it was not 'in the budget'.
Even when I registered a formal complaint about undue pressure, the salesman was not criticised, and eventually promoted. The fact is that if companies do not understand how to use security features as a sales promoter and benefit, they will put pressure on the security specialist to reduce security to below the absolute minimum, in the hope that a disaster will never happen, or at least not while they are still around, and they can always blame the security specialist if it does. It is rather like Idi Amin blaming his advisors for not persuading him of the dire economic consequences of ejecting all those Ugandan Asians who were an integral part of the national economy (they warned him but did not persuade him, so obviously it was their fault).
The reason I didn't jump ship was that I didn't think I'd get any better treatment elsewhere.
Anonymous coward to avoid the guilty being identified and me being sued.
1) Security in itself doesn't add overt usability and functionality to IT systems. IT security has a somewhat abstract and indirect value. And we've all seen the jokes about things like password policies actually inhibiting user productivity.
2) Because of 1), security is often viewed as something to be tolerated instead of actively pursued, or bargained away in return for more immediate improvements in productivity or reductions in project cost
3) Until IT security fails, and your company has a major productivity-draining or brand-damaging incident.
4) And when 3) happens, who does management come looking for to explain why things broke down based on 1) and 2)? The IT security staff.
In business, some roles are usually left on the outside, looking in. IT security happens to be one of those.
As you say there are others. I for my sins spent a goodly while as a performance specialist, similar set of problems. What they share is that they are all basically insurance pitches. If you spend X now you will be somewhat protected from the potential problem Y which might happen in the future. Good luck with that if the project is tight on funds. And don't get me started on backup infrastructure, or as I always used to say, recovery infrastructure, bloody nightmare...
Its not just Security though. You'll see this in a few IT sectors, especially in higher cost countries. Then you get the PHBs going on the gilded bonus hunt, opt for the cheaper alternatives, and as a result more pressure heaped on those left with the necessary experience. No incentive for younger generations to look to IT for a career as the PHBs have practically gutted the sector in the pursuit of money.
When I was younger, IT was *the* thing to get into. The managers at the time honestly valued the skills people had (or at least in my experience).
Now-a-days those at the top just view IT as an inconvenience. I am sure that there are many who read The Register who do an amazing job on NOT being noticed for the work they do (if you get noticed then its usually because something has broken, not because its working perfectly).
With security you're fighting the good fight, often the bearer of bad news and therefore usually acting as the messenger to be shot or a blame-hound for delays in projects.
I'm lucky I'm in a role where I've been for a long time and have built up the respect of collegues so I can safely point out problems and kick the butt of those who seek to use security as an excuse for the failings of their own projects.
But that's because I'm in the public sector and the business is not driven by profit. I've also been here 15yr and am paid significantly under the going rate although my working benefits are good.
But it can still be a very frustrating job to sell security and to fight vendors who are doing their utmost to ignore it. It seems to be like GDPR never happened for most of them and they still have the blind belief that they can pass all DP risk to customers. The larger the company the bigger the problem. NGA are particularly shitty to deal with, bust basically anyone providing a niche or monopoly service is usually a bastard to deal with. The ICO are bloody toothless as well and only interested after a breach.
That's the motto of most companies I know. Very few take cybersecurity seriously before a major disaster happens.
IT is seen as a cost, cybersecurity as a burden and a waste by shareholders and financial directors. As long as this paradigm endures, this situation will also.
Sometimes I wonder if grabing popcorn and watching the collapse instead of fighting windmills wouldn't be better for health. What a bloody thing conscientiousness is.
Certainly as CEOs tend to last no more than 5 years they take the risk assessment that if an IT security incident happens early on it is their predecessor's fault. If it is anything they've done, then it will be after they have left (and sold their shares), so why bother?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
