Security teams on the verge of burn-out: an attempt to explain this phenomenon

Cyberrisk Management & Strategy

Posted on

Many security teams are faced with the issue of more and more employees leaving. This article explains the reasons for this situation and the increasing burnout, and provides possible solutions.

Repeated sick leave, insomnia and withdrawal: security systems teams have been under great pressure for several years. Although threats are intensifying, it is not enough to explain this phenomenon. Stress levels are related more to the functioning of the sector and management practices, than to the nature of the activities carried out. Last year, a study by Nominet showed that 23% of Information Security Systems Managers (ISSM) in 2020 admit to using medication and/or alcohol and drugs to cope. Very clearly, the phenomenon is not limited to ISSMs alone, but to the entire ISS community (SOC analysts, project managers, experts…). The question stands: how have we been able to move from passionate, close-knit teams to this level of HR concern in less than 10 years?

A dedicated HR approach for Security functions

Interventions sparking change in HR policies, training courses and managerial practices are very rare, even though the well-being of employees and the smooth running of the function have a definite impact on levels of security.

Faced with this observation, some organisations have taken an interesting approach: they have integrated these HR operating topics directly into their maturity framework (NIST, ISO, etc.). This is indeed an excellent idea that enables them to deal with essential subjects in a few weeks via an already established organisation and processes (insurance, evidence review, cyber programme, etc.). Another advantage is that the framework is often an essential input for building the strategy, resulting in this HR dimension being directly integrated into the multi-year plan of certain companies. Concrete and measurable objectives are defined for staff turnover, employee motivation or even the work/life balance. Finally, these elements are regularly presented to top management alongside the patching rate, zero-trust convergence, and resilience capacities.

When the physiological well-being of employees is integrated into the objectives of the function, and therefore at the same time into those of CISOs, companies run more smoothly. However, it is still necessary for companies to ensure they address the right subjects within this dimension.

Priorities: Valuing expertise, encouraging mobility and aligning salaries

Pentesters, CERT analysts, DevSecOps specialists… the security function is made up of a multitude of experts, who are not always recognised, valued and motivated. Unfortunately, too many companies still have a natural tendency to overvalue management to the detriment of expertise. It is therefore crucial for organisations to create an ecosystem favourable to experts in ISS fields. The possibilities are vast: implementing specific career paths, providing access to certifications and qualifications, involving of communities of experts in major decisions, encouraging external exposure (conferences, media).

The subject of mobility is also essential. There is indeed a feeling of suffocation within the function: the pressure on cybersecurity teams is so strong that many employees feel they are stuck at their posts, without the slightest possibility of evolution. As a result, morale is low, people are going around in circles, criticising, and creating an unhealthy climate. An obvious solution does exist, however: encouraging or even imposing mobility. For example, some major organisations have recently set up incentive governance that allows ISSMs to spontaneously offer mobilities and exchange resources. is a vast enough topic to create rich and exciting careers; a healthy function is one with a mobility rate of at least 10%.

Finally, there is a need to discuss compensation. There are major differences between CISO remunerations from one entity to another, and the salary structure itself may differ within security teams. It is therefore impossible to create team spirit and solidarity in such conditions. The solution to this problem is not a simple one, but compensation packages, along with the prospect of mobilities, need to be points of discussion between security leadership and HR.

Building a shared sense of empowerment for employees

In recent years, security has taken on a whole new dimension: there is an average of 1 security  FTE per 500 to 3,000 employees. The era of small teams of 15 passionate people within the IT department’s operations is over. With large teams –  a simple decision can take weeks.

 

There is an urgent need to build a clear operational model, with a focus on pooling and eliminating redundancies:

    1. Regrouping centres of expertise (Audit, Cloud…)
    2. Creating a single cyber defence centre (SOC, CERT…)
    3. Structuring a single Cybersecurity Programme within the Group’s reach
    4. Pooling the PMO in a Reporting Factory.

This type of grouping will make it possible to create a sense of empowerment, and to give collective meaning. Of the companies that have undergone recent reorganisations, it is estimated that around 40% of the sector’s employees work on activities with a transversal scope.

There are many ways to boost well-being and enable employees to build a full and rewarding career within the sector: salary alignment, upskilling, training plans, mobility processes, reorganisation of the sector . However, this work cannot be carried out by the HR functions alone. It is essential that the CISO and team managers are strongly involved in establishing and reinforcing the efforts over the long term.