Cybersecurity professionals are tilting at windmills - interview
Companies lure cybersecurity professionals with perks like health insurance, snacks, and game rooms. But all they want are less mundane tasks and feeling appreciated.
A career in cybersecurity comes with a mission of fighting off the bad guys and making the world a safer place. However, many professionals struggle with mundane tasks, such as manually verifying flagged vulnerabilities. At the same time, companies are understaffed due to skills shortage, which results in a heavy workload for the employees and makes them consider leaving the job or even the field of cybersecurity altogether.
Even though the recent (ISC)2 Cybersecurity Workforce Study showed that cybersecurity professionals are a highly engaged and satisfied workforce, the prevailing narratives in the media tell a different story - employees feel stressed, unappreciated, and face overwhelming pressure.
The Invicti AppSec Indicator report shows that current IT, security, and DevOps staff are feeling this burden, with 78% saying their stress levels have increased since last year and nearly two-thirds saying they’ve considered leaving their job.
Employees often complain about monotonous tasks. According to the Invicti survey, 96% of respondents say false positives are problematic and a time such at their organization, and 78% say they always or frequently perform manual verification of flagged vulnerabilities, with each taking over an hour to investigate.
I virtually sat down with Mark Ralls, president & COO of Invicti, to talk about talent shortages, professional burnout, and how companies should address this problem.
There are not enough cybersecurity professionals. At the same time, those who are in the market often feel burned out. Is that true?
It is true. Cybersecurity has never been an easy job to have for anyone. It has always been a job that is viewed often within an organization as a cost center, a barrier to getting products out the door, at least software products. That's created a lot of challenges and pressure over time. Like with many things, everything changed at the onset of COVID. Now, you had a very rapid shift where virtually all employees had to be remote, at least for a while. It created a tremendous amount of pressure for cybersecurity professionals to secure those remote workers, which is a lot of added work. Right around the time they got a lot of that sorted out, you had the SolarWinds breach, which again created additional work for cybersecurity professionals.
Then, on the heels of that, you've got just this huge surge in ransomware, it's been ongoing, but it seems to have hit a new level. So cybersecurity professionals have far too much work to be done. They don't have enough time to do it, the tools and resources they need, or the budget to purchase those tools. I had one of our customers, a large Fortune-500 company, who said: 'look, I've only got one cybersecurity professional per 500 developers'. ‘Why is that? Can't you get a budget?’ I asked. He said: 'no, I've got all the budget I need, I can't hire people. I can't find people who meet my needs and who can do what I need from them.'
Cybersecurity teams are just in a tough spot where they don't have enough people on the team. Those teams also don't have the tools and the resources they need, and, over the last year and a half, the work and the crisis have just stacked one on top of the next, and it has created a challenging situation with a lot of burnout and a lot of challenges for those workers.
Your survey revealed that two-thirds of employees were considering leaving their job. I wonder whether they were thinking about leaving the company or cybersecurity altogether?
I think there are two things. One of them is, there's always that the grass is greener on the other side phenomena, where someone says, 'I know my situation here, my management won't give me tools, or I've been talking to this other company, and they say they'll buy whatever tools I need, and so I go there, and I'll make more money, and maybe I get what I need.' In reality, that other company may not acquire the tools they need either. We see a little bit of a trend, especially for less senior non-management cybersecurity pros, where they may even be an independent bug bounty hunter. There's been a rapid increase in bug bounty programs out there, and companies are paying for bug bounty programs, and that's another area where they may be deciding to go freelance. And that can be a very rewarding career, but it can also be a tough one because your bounties can be very unpredictable. That's a whole different stress level when I have to get paid for this bug, or I can't pay my mortgage or something.
If a company can't find employees, what are other ways to make a person stay in the job? You say that the job is mundane. Also, do these things that companies present as work perks, such as complimentary snacks, game rooms, etc., help at all?
People get into cybersecurity because it is a noble calling. You are one of the good guys, and you are fighting off the bad guys. I think that's a big area that you have to highlight for your employees. To retain them, is the bigger picture of what you are trying to deliver here, what you are trying to achieve, and the fact that what they are doing matters.
But that's hard. All organizations say that false positives are a huge problem and time-suck. A company says it is hoping you defend it against the bad guys, and the work you do is critically important. But then these employees may spend 50-60% of their time investigating things that turn out not to be real vulnerabilities. That's very demoralizing, and that undermines that message. You are not helping the good guys to fight the bad guys; you are tilting the windmills. You are fighting ghosts that aren't there. This goes back to the idea that you've got to have the right tools and automation. If you give those teams a product that, for example, minimizes false positives, your team is working on real vulnerabilities, and by doing their job, they are truly making the organization more secure. What we've heard from our customers and what our survey finds is that you are much more likely to retain an employee who feels that the work they do is valuable, versus what they do is just investigating shadows that aren't real.
Companies complain about the skills shortage. Yet, the requirements I see in job listings are pretty high. Why can't they fill at least some of the positions with juniors?
I think it has to change. Employers have to become realistic. If you determine that you need a team of, let's say, ten people, first of all, you need to have the right tools and automation in place. If you spend money on the right software tools, you may not need ten, and maybe you can get away with five or six. But even in that situation, you need one or maybe two very experienced people, folks that have been in the industry, and they've seen a lot of different things.
We hire more junior employees, who are willing to learn and work hard, and then we pair them with those senior employees who help train them up, grow them, and make them more sophisticated. We teach them how to work with our tools and systems and do what we need them to do. That way, it's much more cost-effective, and those employees learn very valuable skills, and it's an appealing role because they are growing. I think this is an area that organizations have to get more realistic.
If you have a team of six, you can't have six folks between zero and five years of experience. You need someone experienced, but with that experienced person, everyone else can be much more junior. You'll be amazed at how quickly people can learn and how eager college graduates are, or even folks that have done two-year degrees or a shorter program that's very focused on cybersecurity. And again, that's an area that we've seen a lot of success globally with our global workforce.
What keeps up the spirits of those pressured cybersecurity professionals? How to make them loyal and to make them stay with you?
We automate everything that can be automated. It means that our employees aren't doing the same mundane tasks over and over again. They are doing things that require human knowledge and human judgment, things that are much more interesting and much more rewarding. We are investing a lot in our products to build out AI-enabled features to chip away those things that haven't been possible to automate previously. You can never replace a human, and we are not trying to. We are trying to give the human a better robot partner to work with, where the robot is doing all of the basic work, all of the mundane work. Then a human is doing what a robot can't figure out, what is more challenging, rewarding, and interesting.
It goes back to this idea that cybersecurity is such a noble calling. Let's be honest. If you have the skills to be a white hat hacker, you also have the skills to be a black hat hacker. But you are choosing to be good. You want to know that every hour you spend is a really valuable hour, making a difference and making an organization more secure. That only works if you've got your robot counterpart doing all of the mundane work for you and just handing you the things that are bigger, more important, more difficult, more challenging.
Then cybersecurity pros are working on that, and they thrive in that environment because that's what they want to do. They want to do the more difficult, more cutting-edge work.
How will the situation change in the near future?
The black hat hackers continue to innovate, and we, on the white hat side, have to keep innovating to compete. I think that you will see much more applications of AI and machine learning. The reality is, you can never replace the human. Or at least not any time in the near future. It's like fusion reactors and self-driving cars. It's always five years away.
You need to have a robot do more and more of the work so that humans can focus on the value-add. Because that is the only way that we are going to catch up. We all have to get more aggressive in hiring and training employees. You can't wait for that perfect employee. You have to look at someone and say, do they have the eagerness to do this work, the aptitude for that, can we train them. Then you pair those really smart, talented, hungry employees with someone who's got five, ten, fifteen years of experience doing the job. You'd be amazed at what can happen and how quickly you can move.
We are constantly talking about what if we onboard all those talents, train them, and then they will just leave and take jobs elsewhere. But that's ok. Because one of the things I love about cybersecurity is that the cybersecurity team at my competitor is not my enemy, they are my ally. We have a common enemy, which is the black hat community. We all work together, and if one of my employees goes somewhere else, we are all progressing in that fight to make us more secure.
More from CyberNews:
Subscribe to our newsletter