This page is devoted to just some of the comments we receive, both in response to the survey and in conversations with security colleagues.
More work-from-home and less commuting has helped.
Budget and work load is a problem in higher ed as well as low salary for the industry segment.
This needs to be raised up to CIOs and other leaders. CISOs are rapdily burning out.
I’ve never seen anything like this initiative and it is a wonderful idea. Great thinking.
I think this is a great survey, and goes beyond cybersecurity. I think all levels of IT are feeling similar strains.
I don’t think stress is unique to cyber security professionals. Any professionals that deal with risk and compliance are in the same genre, so to speak.
As a veteran, I can find similarities between my experiences in wartime and in my career in cybersecurity. I’ve been in the business a long time, and have managed to survive a lot of incidents. Each one makes me jumpier, more stressed, and more resigned to the fact that it’s a battle of attrition.
This is a great survey idea shining a lot on a real problem in cyber. I hope it helps. Thank you.
I’ve been in security for about a year, and have worked at the same place for more than a decade. The number of issue for me is poor leadership. There’s little direction and it feels like everything is an emergency. The CISO isn’t interested in developing people, he expects the people to run their own programs, despite being new the role. I also find a lack of communication skills among security and systems people in general leads to many of the people problems within my environment. It’s not all bad, certainly, but can be frustrating and if not for how we’re handling COVID-19 (very positively) I would 100% look for a new place to work.
Commute + Security expectations is a very difficult journey to deal with. Can’t find other jobs anywhere near home, so trying to find remote jobs now as that widens the employer pool.
! actually left my IT management position a couple months ago in favor of a direct-report position working in my university’s ERP group. The inability of my campus administration to prioritize security management over “slick” public-facing projects, combined with their stratospheric expectations for infosec, eventually drove me out after 6 years as a manager.
Essentially the biggest issue in my environment is the old school mind set of “if you are not constantly looking busy, then there is not enough work for you to have a job” coupled with the “your opinion most likely does not matter and do what I say from executive leadership”
I believe one of the larger causes of stress in the industry is an never ending need to do more to keep the organization secure that comes with a constant battle for more people, more funding that is almost never enough.
As a leader I have had an almost constant struggle with staying in HR guidelines, where there is rarely understanding of the unique needs of information security teams. You almost need to break the rules to help your team have things like flexible schedules and pay that aligns with skillset. What I have found though is having a leader that puts people first and willing to have the battles with HR the less stressful the environment.
Being a security professional is frustrating and stressful enough in this threat landscape. When we have a lack of support for best practices, and active resistance to our efforts, it shows just how little security is considered to be important.
I started in the industry over 40 years ago. I’ve watched it go through the same cycle many times. Each time the technology created an opportunity for change our industry (yes, our industry) did what ever we could to push back. That’s why we have so much “security technology” being generated by software companies that should have no business creating security tools or worse, companies actively promoting security solutions that don’t make a difference.
We refuse as a community to do the right thing and continue to tolerate poor business practices and a decision making process that values short term profits over people’s health.
One day recently while talking to a board at a health care company I realized that nothing was ever going to change as long as people kept saying yes to their dumb ass requests. I was over weight, had crazy blood pressure, no sleep and was drinking way too much. I was a CISO for hire. I was called in when things went completely sideways and it was my job to fix it.
After doing this for over 10 years and listening to dumb crap like “we’re going to use agile development techniques to formulate our mission statement” I realized that I needed to get out or I was going to shoot someone.