Cybersecurity workers are in high demand, and the security industry may face a shortage of close to two million qualified personnel by 2022. That’s concerning giving the increasing number of cyber attacks we’re witnessing. But what’s more concerning is that, according to recent research I conducted, the problem is not only attracting talent to cybersecurity, it’s retaining that talent. A large number of people are leaving the industry and not returning to it due to a lack of direction, burnout, and a toxic culture that can include discrimination or harassment.
While building the pipeline through training and education is critical, it means nothing if the industry can’t hold onto the professionals once they’ve entered the field.
In August and September, I surveyed over 300 security professionals, with three-quarters having worked in the field over five years, and 35% over 11 years. Their responses highlighted three key factors that have the greatest impact on retention: a lack of well-defined career paths, stress and burnout, and a need for cultural change across the industry. Without these, no matter how well we fill the pipeline, the skills shortage will only grow.

Deadend careers

Over half of the respondents I surveyed listed a lack of advancement and growth as the main reason for leaving their previous employment, and almost 20 percent noted this as a factor when leaving the industry altogether. Organizations must provide clear career paths and development opportunities for security professionals. This echoes findings from a 2016 Information Systems Security Association study, which found 65 percent of respondents lacked a well-defined career path.

High burnout rate

Burnout (32 percent) and stress (28 percent) were other key reasons respondents left their jobs. The results were even more skewed for those considering leaving the industry, with 40 percent and 30 percent saying they were experiencing burnout and stress, respectively. These figures were likely amplified by the fact that 28 percent of respondents pointed to a poor work-life balance.

Bad culture

Cybersecurity also has a branding problem. Unlike the teenagers in hoodies that TV and movies might have us expect, most respondents were between 31 and 40 years old.
Additionally, aspects of a toxic culture can have profoundly problematic consequences. Eighty-five percent of female respondents experienced some level of discrimination at professional conferences, and over half reported experiencing some level of harassment. Thirty-six percent of male respondents also report they have felt discriminated against, and 31 percent report being harassed at professional conferences. More conferences are drawing attention to this and addressing harassment, but there is still work to be done to make tech and security a safe, inclusive environment for all.

How do we fix this?

Given the mission criticality of security, coupled with the workforce shortage, addressing these challenges to retention should become a top industry priority. It’s not easy to change social systems. But with a combination of structural factors and dedicated agents, we can make tech and security a field where skilled professionals want to build long term, meaningful careers.
Further, corporate policies must progress to address burnout and support longer-term career advancement and growth. Business leaders should give clear structure for how to advance within a company and create an inclusive culture that respects and integrates the work of security professionals. This includes supporting a healthy environment to limit burnout, such as ensuring employees take time off and promoting time away from the keyboard to recharge.
Additionally, small things like having more accurate representation in corporate material matter could make a difference — only 6 percent of survey respondents felt very represented in material. Similarly, corporate “schwag” often signals a certain culture and should include clothing sizes and types relevant for the entire workforce. Likewise, “outings” should revolve around activities and functions that are not solely based on alcohol.
At the end of the day, corporate leaders are responsible for setting the policies, crafting the workplace environment, and supporting those social activities and values that shape the corporate culture.
They also must lead by example. Numerous tech CEOs have faced scandal after scandal after scandal for mishandling situations, often as a result of the corporate culture they fostered. Contrast those examples with strong leadership whose commitment to an inclusive and innovative culture is more than a public relations pitch, and the outcomes are quite stark. The cybersecurity industry has not been as vocal about corporate culture — especially in the realms of inclusion and diversity — as the tech sector at large. This is starting to change, but there clearly is still a long way to go.
These changes alone are not going to fix the industry’s retention problem. Leaders can foster change through speaking out, in private and public settings, about the importance of inclusion and addressing burnout. The movement also requires engagement and enthusiasm from seasoned industry professionals to spark this change, whether at their companies, on social media, or at conferences. Many already do this, and we need this momentum to scale and expand.
Cybersecurity jobs are too important to the economy, national security, and businesses to lose our best talent over preventable challenges. Fortunately, this mission is one of most important factors for security professionals and is a great competitive advantage for the industry. With a concerted effort to make professional lives better, we can funnel the talent pipeline into long term, productive, and satisfying careers that tackle one of the most important, dynamic, and impactful challenges of our time.