Cybersecurity employees' lack of commitment a dangerous development: report

Security lock on computer data
Cybersecurity professionals lack commitment to their jobs, a study found. (Getty/gintas77)

Employees in the cybersecurity field are not very committed to their jobs, suggesting a lack of continuity that could make it hard to cohesively battle one of businesses’ biggest threats, a survey found. 

Some 70% of cybersecurity professionals are open to new opportunities, while 14% plan to look for a new job and 15% say they have no plans to switch, according to the report by (ISC)², an association of cybersecurity professionals.

Top-notch, engaged cybersecurity professionals are needed given the growing cost of cybercrime, says Cybersecurity Ventures, which predicts there will be 3.5 million unfilled cybersecurity positions by 2021. The cybersecurity jobs forecasts have been unable to keep pace with the rise in cybercrime, which is projected by Cybersecurity Ventures to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.

One of the reasons cybersecurity professionals may be inclined to jump around is salary, even though it averages $116,000 annually, or approximately $55.77 per hour, according to CIO Magazine. That's nearly three times the national median income for full-time wage and salary workers, according to the Bureau of Labor Statistics.

“Recruiters are relentless today,” said Rich Fennessy, CEO at Kudelski Security, in an email. “There are many opportunities for technical staff to make career changes. We’ve found compensation isn’t enough—our people want to be empowered, they want to make contributions to the business and be meaningful.”

Flexibility is key

They want “flexibility to pursue research, experiment with tools and technologies, be part of a product launch team, speak at conferences, or just the flexibility to pick their kids up from school,” Fennessy said.

(ISC)² suggests that unmet expectations between organizations and their cybersecurity workforce both during the hiring process and time on the job—combined with high demand for security skills and frequent contact from recruiters—may be encouraging many cybersecurity professionals to consider new opportunities.

“The cybersecurity workforce gap is growing rapidly, and turnover within cybersecurity teams makes filling those roles even more challenging,” said (ISC)² COO Wesley Simpson in a statement. “It is more critical than ever for organizations to ensure their recruitment and employment retention strategies are aligned with what cybersecurity professionals want most from their employer and the position.”

Findings from the (ISC)² study include:

  • The top priority is not salary (49%).
  • 68% want to work where their opinions are taken seriously.
  • 62% want to work where they can protect people and their data.
  • 59% want to work for an employer that adheres to a strong code of ethics.

The report also identifies how employers often fail to impress cybersecurity job seekers and staff with:

  • Vague job descriptions (52%).
  • Job descriptions that inaccurately reflect responsibilities (44%).
  • Job postings that ask for insufficient qualifications (42%), demonstrating an organization’s lack of cybersecurity knowledge.

RELATED: Cybersecurity jobs are not being filled

Cybersecurity workers want to be cutting-edge. “They demand constant challenges, access to the newest tools, and the autonomy to be creative when solving mission-critical problems,” said Varun Badhwar, CEO of RedLock, via email. “Employers need to nurture and support these aspects and augment them by encouraging security teams to step out and take the spotlight where they’re comfortable—for example, speaking at an industry gathering or developing a whitepaper for an annual conference.”

“CEOs need to understand the battles that a cyber-team faces and that while they may invest a lot in tech in their overall budget, they still need to make sure that cybersecurity teams are accurately resourced and supported,” said Barrett Lyon, general manager of DDoS defense at Neustar, in an email exchange. “If cybersecurity teams aren’t appropriately staffed and feel appreciated, skilled workers will burn out. In addition, leaders should take this a step further and invest extra time for cybersecurity professionals to continue their education and development as the threat landscape continues to shift and alter the skills required to do their job successfully.”

A better balance

Cyber companies should realize that employees are looking for more work-life balance, said Choo Kim-Isgitt, head of product at cybersecurity company EdgeWave, in an email. “Employer expectation that you should work on weekends and after 5 needs to be balanced with work-from-home options. No longer can this be a one-sided point of view.”

Employers should “periodically assess employees, not just for performance, but for career goals and if their current role matches to what they should be doing,” Kim-Isgitt said. “Employees should also be given opportunities to try new projects and test new skills and have a way to express their wishes and concerns in a safe zone. And finally, hard work should be rewarded. Even a simple, genuine thank you can go a long way.”