A first-hand experience of the workload challenges security engineers face, and how their employers can help to address them
By Tim Bloomer, a Sales Engineer at AlgoSec
I’m sure we’ve all read about the global cyber-security skills shortage, but even so, the numbers are worth repeating. It’s estimated there are over 4 million openings that are not being filled – which is over a million more than 12 months previously. What’s more, the cyber-security unemployment rate is at 0%. It seems that cyber-security professionals can get hired pretty much as quickly, or as often as they want. But that leads to the question: do they want to stay in the industry?
The latest Chartered Institute of Information Security’s Security Profession 2019/2020 report paints a bleaker picture. It found that 54% of IT security professionals had either left a job due to overwork or burnout or had a colleague who did. It also showed the potential causes of burnout and its consequences. Security budgets are not keeping pace with the rising threat level – and when security teams are stretched during holidays or busy periods, 64% said their businesses simply ‘hope to cope’ with fewer resources when necessary, whilst 51% would let routine or non-critical tasks slip.
I have the first-hand experience in the cyber-security trenches of working long hours, all the time. My wife would call me around 5:00 pm every day to remind me that it was time to come home. But it really wasn’t the end of the working day for me. I simply looked for when I would have an opening at work big enough for me to drive home and open my laptop so that I could continue working. I did this for over 3 years, working 80 to 100 hours every week. That was my ‘normal’ 40 – 50 hours in the office, plus another 40 – 50 hours in a data center during maintenance windows, or working from home. It’s only when I look back that I realize they were very stressful times, which impacted my time with the family as well as my performance level at work.
So why does burn-out happen? Here are a few of the contributing factors to the crazy hours and intense workload, based on my own experiences.
- Unrealistic expectations – every company seems to have projects based on perceived timelines. You might say that you can stand up an application (for example, a VM instance, networking, documentation, configuration, connectivity, etc.) in 3 weeks. This allows for everyone to work ‘normal’ hours and do their due diligence. However, most of the time, that 3 weeks was condensed into a week or less based on external factors outside of our control.
- Understaffing – with the “do more with less” mentality that companies have lately, we seem to all be understaffed. That doesn’t mean the workload decreases, it only means our pressure increases and more hours and duties are added to your day. This has been made worse during the Covid-19 pandemic, with the huge changes enforced to organizations’ networks to support mass remote working.
- Doing more than one job – when your co-workers leave the company, you often have to pick up the workload with your remaining co-workers while they look for a replacement. Numerous companies either do not open that position up for a replacement or only open it to a junior position even if it’s the most senior person to leave.
- Mental health – often this is overlooked. Cyber-security engineers are under enormous amounts of pressure to protect the company’s assets and keep the business running. If everything goes well, no one notices; but if it doesn’t go well, everybody The stress has a lasting effect on us. I, personally, lost two people to suicide, a friend and a co-worker. While I cannot prove that was the reason, I can tell you that my friend definitely felt the pressure.
Now I know not everyone will burn out and walk away, or switch jobs. But how do you reduce that burnout rate, while maintaining your organizations’ security demands and standards? This is where automation of security processes, such as planning and making changes to existing applications or provisioning new applications, comes in.
There’s a common misconception that automation has a negative impact because it replaces people. In cyber-security, however, the opposite is true – automation takes away the tedious manual ‘grunt’ work of making business-as-usual configuration changes, combing through security logs, and paper-based audit preparations. Looking at my bullet points on burnout above, here’s how automation can help in each case:
- Unrealistic expectations – automation helps engineers and their employers make changes to migrate or provision an application in a few minutes, rather than taking days or weeks. There’s no risk of manual errors or configuration mistakes. And because it logs every step of every change, automation even ensures that all the paperwork is done without complaining – speeding up processes and making the business more agile.
- Understaffing – automation removes the need for staff to research and review every change needed, as the solution flags any needs or exceptions. Automation also reduces the reliance on veteran experts and tribal knowledge, because the solution documents everything, helping to cover times when staff are on holiday or have left the company.
- Doing more than one job – you may still have to do more than one job, but at least you’ll have a smart, automated assistant to help you get jobs done faster.
- Mental health – cyber-security engineers love to learn new technologies and implement solutions they know will help their organization in the long run. Using automation is a major step-change in helping organizations streamline and accelerate change processes, and in helping the staff responsible for implementing them. However, this should also be supported by other measures from the organization to help engineers achieve a better work/life balance.
In conclusion, automation solutions can deliver a true win/win, improving the organization’s cyber-security posture while also helping its cyber-security staff with their workload, retaining their skills, and increasing their motivation.
About the Author
Tim can be reached at our company website www.algosec.com