Cybersecurity professionals are at breaking point, with many fearing they will soon lose their jobs because of a cyberattack and others struggling to cope with the growing strain. Unless businesses act soon, an ever-growing skills gap might become an unbridgeable chasm.
These leaders attribute their desire to leave to two dominant causes: 42% say a cyber breach is inevitable and do not want it to tarnish their careers, and 40% say stress and burnout are heavily impacting their personal lives.
This exodus of talent represents a big issue in two key ways: first, in terms of the personal toil it takes for people who struggle to meet their work demands; and second, for the businesses who lose their cybersecurity capability and struggle to fill the gaps they leave behind.
And while the number of cybersecurity professionals hit a record total of almost 4.66 million globally in 2022, growing by 11.1% year-on-year according to the 2022 ISC2 Cybersecurity Workforce Study, the global cybersecurity workforce shortage widened by 26.2% to reach a staggering 3.42 million people.
That shortage is going to create huge issues, because without the expert resources to stay safe and secure, businesses face an ever-increasing risk from all kinds of cybersecurity actors and threats.
What's more. these risks will lead to even more pressure on security staff -- and the risk of people suffering burnout or wanting to leave the industry will just continue to grow.
Trustpilot CISO Stu Hirst is one security leader who faces the disparate challenges of working in IT security every day.
"Cybersecurity is particularly difficult job for lots of different reasons," he says. "You've got to be very careful about the impact it can have on you. It can be a high-stress environment, because you're dealing with things that you don't know are happening or you're waiting for something bad to happen."
One issue found in security -- where professionals have to understand a huge range of technologies and issues -- can be imposter syndrome, which can manifest as a nagging sense of self-doubt.
"There's just so many things you're responsible for and you just can't be an expert in all those things, yet there's often a demand for you to try and be an expert in lots of those things," he says. "And I think it's more prevalent in security than in the other realms."
So, how can senior managers remove some of their strain for the cybersecurity staff?
Clare Lansley, CIO from Aston Martin Cognizant Formula One, says one of the key things is to ensure that processes and procedures are clear and concise. People need to know how to work and what to prioritize.
"Make sure that you've got proper incident management procedures in place," she says. "Then, if something does get breached, you can quarantine it quickly and address it."
Of course, creating strong incident management procedures does create a set of responsibilities that need to always be fulfilled -- especially in a 24/7 digital age.
"As management, we need to ensure there is appropriate out-of-hours cover and that it is rotated because wellbeing is a significant issue. You must make sure that your team are mentally and physically well," she says. "That's all about being responsible managers and figuring out how can you share the hours from a support perspective to maintain 24/7 operations."
Lisa Heneghan, global chief digital officer at consultancy firm KPMG, says embedding security processes into the heart of the business helps ensure people feel part of the wider organization -- and creates benefits for the rest of the enterprise, too.
"Cyber used to be very much off in a darkened room," she says. "And don't get me wrong, there's loads of stuff relating to IT security that people in security still have to do. But you need to be thinking about cyber at the heart of every business process and everything that you do within an organization."
And cyber isn't a one-way street -- as well as ensuring the people in security feel part of the broader enterprise, Heneghan says line-of-business professionals must also learn about cyber concerns themselves.
Success requires a joined-up approach, where business and security come together and recognize how information integrity isn't just one team's -- or even one person's -- responsibility.
"It's about building the fundamental foundation," she says. "It's not acceptable for anyone in an organization not to understand the exposure and the risks around security anymore."
That's something that Heneghan's says KPMG has prioritized recently and its own cyber capability has been "uplifted" globally.
"We've now got a community of people who can support each other," she says. "It's not the same as the old days in IT, where you'd got one CISO who had got the whole world on their shoulders. Creating an uplift is all about working together when there's cyber challenges to address."