Security channels on the verge of burn-out – an attempt to explain this phenomenon

Cyberrisk Management & Strategy

Posted on

Security organisation are facing more and more employees leaving. There is an urgent need to rebuild a more readable operational model with a trend in pooling and eliminating redundancies. This article will present an attempt at explaining this situation and at giving some possible solutions.

Repeated sick leave, insomnia, withdrawal, security systems companies have been under great pressure for several years. Although threats are intensifying, it is not enough to explain this phenomenon. It is clear that the level of stress is more related to the functioning of the sector and management practices, rather than to the very nature of the activities carried out. Last year, a study by Nominet showed that 23% of ISSMs in 2020 admit to using medication and/or alcohol and drugs to cope. And very clearly, the phenomenon is not limited to ISSMs alone, but to the entire ISS community (SOC analysts, project managers, experts…). But how have we been able to move from passionate, close-knit teams in less than 10 years to such an HR situation?

Cybersector HR approach

Requests for intervention are very rare concerning HR policies, training courses, managerial practices even though the smooth running of the sector and the well-being of the employees have a definite impact on the medium-term level of safety. Sportsmen and women know it very well, the state of mind in the changing room has a major influence on the final result.

Faced with this observation, some major accounts have taken an interesting step: they have integrated these HR operating topics directly into their maturity framework (NIST, ISO, etc.). This is indeed an excellent idea that enables them to deal with essential subjects in a few weeks via an already established organisation and processes (insurance, evidence review, cyber programme, etc.). Another advantage, the framework is often an essential input to the construction of the strategy, and this HR dimension is thus directly integrated into the multi-year plan of certain companies. Concrete and measurable objectives are defined for staff turnover, employee motivation or even the work/life balance. Finally, these elements are regularly presented to top management alongside the patching rate, zero-trust convergence and resilience capacities!

When the physiological well-being of the employees is integrated into the objectives of the sector, and therefore at the same time into those of the CISOs, companies have a much smoother run; but it is still necessary to address the right subjects!

Priorities: Valuing expertise, encouraging mobility and aligning salaries

Pentesters, CERT analysts, DevSecOps specialists… the security sector is made up of a multitude of experts, who are not always recognised, valued and motivated with relevance. Unfortunately, too many companies still have a natural tendency to overvalue management to the detriment of expertise. It is therefore indispensable to create an ecosystem favourable to experts in the ISS fields. The field of possibilities is vast: the implementation of specific career paths, encouraged access to certification, involvement of communities of expertise in major decisions, external valorisation (conferences, media).

The subject of mobility is also essential. There is indeed a feeling of suffocation within the sector: the tension on cybersecurity resources is so great that many employees feel they are stuck on their posts, without the slightest possibility of evolution. As a result, morale is low, people are going around in circles, asking questions, criticising creating an unhealthy climate. A obvious solution exists: encouraging or even imposing mobility. For example, some major accounts have recently set up incentive governance that allows ISSMs to spontaneously propose mobilities and exchange resources, the subject of cybersecurity is vast enough to create rich and exciting careers. A healthy sector is one with a mobility rate of at least 10%.

Finally, there is a need to discuss wages. There are major differences between CISOs remunerations from one entity to another, and the salary structure itself may differ. It is therefore impossible to create team spirit and solidarity in such conditions. The project is not simple, but it deserves to be discussed with the HR, all the more so in a context of strong mobilities which will necessarily lead to complicated situations.

Employees no longer understand their organisation and suffer as a result.

In recent years, safety has taken on a whole new dimension: in France, there is an average of 1 safety FTE per 500 to 3,000 employees, with an average of around 1 per 1,000. The era of the small team of 15 passionate people within the IT department’s operations is over. With large teams, a simple decision can take weeks.

There is an urgent need to rebuild a more readable operational model with a trend in pooling and eliminating redundancies.

  1. Regrouping centres of expertise (Audit, Cloud…)
  2. Creation of a single cyber defence centre (SOC, CERT…)
  3. Structuring of a single Cybersecurity Programme within the Group’s reach
  4. Pooling of the PMO in a Reporting Factory.

This type of grouping will make it possible to create an emulation, to embark and to give collective meaning. Of the recent reorganisations, it is estimated that around 40% of the sector’s employees work on activities with a transversal scope.

Salary alignment, re/up-skilling, training/certification plans, mobility processes, reorganisation of the sector, there are many subjects to be dealt with to boost well-being and enable employees to build a full and rewarding career within the sector. However, this work cannot be carried out by the HR functions alone. It is essential that the CISO and team managers are strongly involved to establish the efforts over the long term.