By Pete Nicoletti, Check Point Field CISO, Americas.
Nearly half of cyber security leaders will change jobs by 2025 due to stress and workplace burnout. Here are some tips/advice that I can share with other cyber security professionals to help manage this issue. Get actionable insights into stress and burnout below and put them into practice right away in order to reduce your security risks.
To provide context, there are several dynamics in play:
A new Gartner study reports that cyber security professionals are under unsustainable levels of stress due to:
- “Compliance-centric” security programs
- Low executive support
- Below average security program maturity
The above combined with:
- Lack of talent and human failure will contribute to half of all cyber security incidents by 2025
- Employees are very willing to bypass security controls to meet a business objective
- Very few organizations are addressing the Insider Threat risks
This is leading to security professionals changing jobs or even changing careers. How can you address this area of risk? Here are actionable ideas:
1. IT and security leaders must work closely with their staff: See what tools are working and not working. Find time wasting, ineffective tasks and replace with a tool. Take the time to sit next to each employee and watch what they do and fix what is broken, not integrated, wasting time, etc.
2. Ensure that C-Levels are briefed and aware of all security projects and risks and ensure that the security department is supporting new business initiatives.
3. Ensure that your budget is appropriate to your risks and if its not…be relentless is getting it aligned.
4. Involve staff in creating the security department mission, rather than dictating it to them. Redo it yearly.
5. Involve all C-Level staff in Incident Response tabletop exercises, to ensure that your program is up to date, involves all that are appropriate, and increases executive awareness as well as executive participation.
6. Have security staff rotate through all job functions for cross training and awareness of all roles. If you are old school and have network staff, rotate them through security staff training.
7. Give generous vacation and flexible time off. Make sure you have enough staff to support this.
8. After any stressful project, reward involved folks with recognition and extra time off.
9. Ensure that folks on vacation are not bothered with work issues, and get really unplugged.
10 Beef up your training program, trained employees do far better than untrained.
11. Beef up your professional certification support program, pay for CISSP, CISA, CISM and other certifications and have a lock-in period to get the free training.
12. Be on the lookout for disgruntled employees and deal with them quickly.
13. Recognize employees' extra efforts and reward them.
14. Do staff events on a frequent basis.
15. “Game-a-fy” some of your projects. Make them fun with rewards at certain milestones.
16. Consider using the idea from the movie “World War Z”: Take the person most familiar with a project and have them argue against the project. It brings out issues that others may not be aware of and its fun to make people think outside the box.
17. If you outsource a portion of your estate or services, make sure they are working well with your staff, meeting SLA’s, responding to questions and issues and helping your mission success.
18. Prove the benefits of security controls to all staff to prevent bypassing controls.
19. Leverage Peer Salary reports and ensure that your compensation program is superior or at least on par. If you want the best, pay for the best.
20. Significantly reward employees that spot and report security issues. Make sure all know about the reward.
21. Have a succession plan in place for all key employees.
22. Identify employees with significant tribal knowledge. Ensure that it is documented, have other staff cross train, and make the employee take off on multi-week vacations to ensure there is not a critical dependency.
For more insights from Field CISO Pete Nicoletti, please see CyberTalk.org's past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.