5 Most Stressful Aspects Of Cyber Security

Research shows situations that are keeping security professionals up at night

The Enterprise Strategy Group and the Information Systems Security Association (ISSA) recently published their third annual research report: The Life and Times of Cyber Security Professionals. In this year’s report, ESG and ISSA asked respondents to identify the most stressful aspects of a cyber security job or career.

This comes on the heels of another recent report citing that cyber security is continuing to drive technology spending in 2019 due largely in part to the skills shortage the industry is facing.

“The on-going acute shortage of cyber security skills is about more than the large number of open cyber security positions, it’s also a function of the specific skills required to secure an increasingly complicated environment inclusive of mobile knowledge workers and the extensive use of public cloud services,” commented Doug Cahill, Group Director and Senior Analyst for ESG.

“In addition to higher education programs, advances in automation and machine learning to improve efficiency, and cyber security services are front and center in addressing this perennial cyber security challenge,” Cahill said.

So while we know that the talent gap is playing a major role in increasing spend, here are the 5 things that are keeping cyber security professionals up at night:

  1. Keeping up with the security needs of new IT initiatives (40%). So, the IT team is busy moving workloads to the cloud, deploying IoT devices, or writing new mobile applications, driven by new business initiatives. Unfortunately, the cyber security team often lacks the appropriate technical knowledge and must play catch up on understanding risks associated with changing business processes.

  2. Finding out about IT initiatives/projects that were started by other teams within the organization with no security oversight (39%). So, take the previous scenario around keeping up with IT initiatives and throw in the element of surprise. Think about when a marketing executive announces, “We’ve decided to share sensitive customer data with a third-party that specializes in customer profiling and analysis. We started this project three months ago." Now the CISO must figure out how to safeguard the data after the fact.

  3. Trying to get end-users to understand cyber security risks and change their behavior accordingly (38%). Yes, most large organizations do security awareness training, but it’s treated as a check-box exercise only. Since people are a weak link in the security chain, most organizations don’t push cybersecurity education far enough, leading to a stressful work environment and big cyber security problems.

  4. Trying to get the business to better understand cyber risks (37%). The good news is that we are on the cusp of a new class of proactive risk management tools from vendors, and others that can monitor and report on cyber-risk in real time. This class of technology will help CISOs and business executives make data-driven and timely risk mitigation decisions. The bad news is that too many companies still view cyber security as a necessary evil and really don’t care to better understand cyber risk. Cyber security professionals working at this kind of organization should address job stress by simply moving on.

  5. Trying to keep up with the growing workload (36%). There’s that pesky cyber security skills shortage again. Certainly, there are things that can be done here (technology integration, process automation, and managed services come to mind), but this is a societal issue that the public and private sector must deal with collectively.

See Related: “Cyber Security Continues To Drive Tech Spending in 2019