Cybersecurity Jobs – Why Bother?
A provocative title, but one that immediately came to mind when reading this article recently shared by a colleague in a CyAN chat group:
Nearly half of cybersecurity pros want to quit – here’s why (ZDNet).
The main issues mentioned are 1) insufficient compensation, 2) overwork, and 3) disconnects in communication content and style between subject matter experts and stakeholders.
I can only address this from my own experience – in a career spanning almost 30 years working in IT, much of it in various aspects of information security around the world, I very quickly determined that I would never again work a security operations role, ever. In the early 2000s, at one job, my longest workday was almost 90 hours straight, and I remember falling asleep under my desk numerous times and being kicked awake by desperate managers after the on-call duty person failed to respond to a crisis and they had to bring in the contractor to clean up the mess before trading opened.
Similarly, I’ve been working as a contractor/consultant since 1999, with one major exception in 2011-2013 – which similarly convinced me that I never ever wanted either a salaried or a leadership position ever again under any circumstances.
That out of the way, here’s my take on the current state of affairs. Here’s a purely opinionated, anecdotal, subjective view of the situation.
Pizza Parties Won’t Cut It
First, salaries. Yes, we have a shortage of professionals. Yes, to some degree it’s a skills issue. But to be harsh: when you face a talent and skills shortage, it’s the result of a funding shortage. If you pay people more, there’ll be more motivation to skill-up and enter a given industry. You’ll also get more unqualified people looking for a quick buck, but that’s the price of admission. Sorry. To quote the finance guy from one of my departments, “what you must realise, John, is that things cost money”. Why yes, Ian, they absolutely do.
To some degree, this shortage is also the result of poor incentives and coordination between universities, government bodies, and industry. Recruiters and HR often don’t realise that “entry level” means just that, and that investment in training and development is absolutely necessary, even if there’s a risk that your talent will move on after you’ve trained them.
Incentives for managers are also badly lacking at times – I once worked for a company with an excellent technology apprenticeship programme, and wanted to take on and develop some new talent, until I found out that even an apprentice would take up HR headcount, costing me the ability to deploy a more experienced professional who could help me actually reach my goals.
I subscribe to the paraphrased adage that “people stay because of leaders and leave because of companies” – if you treat your people well, there’s more likelihood they’ll stick around.
Show Me The Money
It’s not just salaries, but general investment. Information security is incredibly expensive, if you want to be able to do your job right and effectively without keeping an organisation running with spit and bailing wire. Many practitioners fail to remember that the CFO, CEO, and other leaders have a fiduciary duty to the shareholders to maximise revenue and minimise cost. This is natural. Infosec generally does not contribute to the bottom line.
Going purely by hard metrics, if the cost of protecting the organisation against hypothetical threats exceeds the potential gain/avoided losses from doing so, your C-level will make every effort to attempt to avoid spending money. Even cyber-risk quantification, which encourages CISOs to develop quantitative models to output numbers like ALE (annualised loss expectancy) that your C-level and board can understand, may inadvertently play into this trap, since that ALE figure may precisely be the “less than what it would cost us to prevent/remediate the problem” number
I like to think of senior leadership and their approach to technology as similar to a car owner. Unless you’re a mechanic or enthusiast, you don’t need to know how to disassemble an internal combustion engine, or even necessarily how to change your oil. But you should understand the fundamental basics of how things work, that you need to bring it in for service every x km, that you should consult a professional when an alert light is visible on the dashboard or it makes certain noises, and maybe, ideally, how to change the tires and fill up certain fluids. Even then, unless your car is a classic or has emotional value, when the cost to keep it running exceeds the benefit from doing so, you’ll probably junk or sell it and get a better one if you can.
This is why we have need regulation. Regulation takes away the agency to make certain investment decisions from leaders who may have a tactical, financial-focused view. Taken to its brutal, absurd extreme, the concept of “value of a statistical life“, or VSL, is an actuarial concept used to determine the potential loss from a death. Let’s say, using a VSL of €5m, if the cost to recall a fleet of cars due to a defect that might kill 5 people is €30m, should you do it? What about hiring enough people/buying sufficient tools to secure a hospital network?
What if the immediate, quantifiable damage to your organisation and its customers was less than the preventative cost, but the potential, hard-to-gauge broader societal damage (e.g. through loss of trust in institutions) was much broader? Thus we have the concept of critical national infrastructure (CNI), and regulations such as DORA and NIS2, which take away some of the flexibility of corporate decision-makers to simply not do the needful. This is no different from consumer protection laws, workplace safety rules, environmental protection requirements, etc.
People People People
I’ve had the privilege of working for some absolutely exceptional leaders, who were not just blindingly intelligent, they were also outstanding human beings. These were people who so consistently earned the loyalty of their subordinates that even if they sacked you, you could be sure that it was for a very good reason – and I’d follow them to any job they left for. Unfortunately, these are rare specimens. If you think there aren’t enough good information security people out there, wait until you look at the ranks of management and leadership ranks – incidentally, a population that I’d prefer to see to worry about having their jobs replaced by Claude than coders or pen testers.
I’ve worked with many managers who were the Peter Principle incarnate – being promoted, whether due to politics or genuine competence, to a point that was beyond their capabilities. Many fantastic technologists are terrible bosses, who all of a sudden find themselves in charge of a bunch of people who look to them for guidance and leadership. Often, they also have mortgages, car payments, or children in private schools, or they’re just worried about keeping their job because new management roles can be hard to find, especially if you’re being paid well. This is human and natural, but it doesn’t help the motivations of their staff.
A Special Shout-Out to RTO – Literally the Devil
There are other issues too – going back to my point about leadership (and culture), I see many companies insisting on mandatory in-office time. Why? Your only metrics should be performance and effectiveness. Sure, you may want a system under which employees can demonstrate they work independently and reliably enough unsupervised, but why do you care where they do so once they’ve proven their worth? If you are not capable of verifying that, you shouldn’t be in charge. (Good) management is hard, that’s why it pays. I refer you back to my previous point about people leaving because of companies – and their culture, or lack thereof.
It’s Human Nature, Stupid
Every job – white or blue collar alike – deals with the kinds of challenges you may see anytime more than 2 human beings get together. Ignorance, insecurity, inertia, laziness, lack of critical thinking, ego, unwillingness to use your imagination – these are all human traits, and a big part of why politics are a thing. If you’re a knowledgeable veteran with a proven track record, at some point it just gets old.
This is why I love working with startups, and enjoy mentorship. When you’re able to share experience and insight with people who are motivated to at least listen and think about what you have to say, even if they then don’t act on it, it’s far more rewarding than a high-stress corporate environment where you’re not only fighting fires with insufficient resources, but also dealing with rigid structures and hierarchies. Obviously this is far from universal, and some people are much more comfortable dealing with organisational environments than the often hair-raising uncertainty of going long periods of time without billable hours.
All of the above are not specific to information security. But, as with IT as a whole, this sector is also seeing a drastic acceleration of pace due to AI, the evolution of threats, and changes in the way business is done. I don’t have an easy answer beyond, if you’re concerned about insufficient security experts as a leader, have some empathy. There is a reason why we need initiatives like Cybermindz to help people deal with stress, overwork, and anxiety.
So Why Bother?
I maintain that it takes around 10 years to develop a good information security professional – whether in terms of subject matter expertise, or the extremely broad set of skills and knowledge you need in order to be able to do the job well. You have to know technology, business (especially if you’re the CISO), law, psychology, geopolitics and other seemingly tangential areas to varying degrees, depending on what you actually do. This means you have to have the kind brain that enjoys challenges and learning, and a great deal of intellectual stimulation, even if you also run into difficult people and seemingly intractable scenarios on a regular basis.
Even with all the issues and gripes I listed above, infosec – whether you’re a pen tester, architect, programmer, trainer, risk manager, compliance auditor, sysadmin, vulnerability manager, you name it – is a fascinating, broad, evolving field full of amazing people. It’s rarely dull. I think it’s the ability to regularly deal with stimulating people and topics that keeps many people going, despite the challenges and adversity.
The question is, how do we keep that equilibrium? In one of my first jobs, I quickly came to the conclusion that the way to get the best out of your staff is to hire competent people, trust them, and pay them well. That still holds true, almost 30 years later.