Burnout, Culture Drive Security Talent Out the Door

Securitys efforts to bridge the talent gap mean little when workers dont want to stay in the industry.

We hear a lot about securitys struggle to acquire talent but little about its inability to retain employees. The skill shortage is doomed to worsen if security cant improve tenure.
Earlier this year, Dr. Andrea Little Limbago, chief social scientist at Endgame, polled 300 security professionals to learn about their perspective on retention. Three-quarters had been in the industry for at least five years; 35% for over 11 years.
People normally describe the talent gap as a pipeline problem: the issue is getting people in the door. This is a positive challenge for the industry, she says. It has driven a strong focus on improving university security programs and introducing security into K-12 classes.
It feels so much better to inspire kids to go into cybersecurity, but whats harder is looking at the industry itself and the all the parts that might need fixing, Limbago explains. All of these efforts are negated when industry norms force talented employees out the door.
Burnout
Survey results indicate burnout, industry culture, and ill-defined career paths are three key reasons people leave cybersecurity. Limbago says she was expecting the first two. Burnout is commonly mentioned at conferences and from friends in the industry, she notes.
Survey questions asked why respondents had left previous roles, and burnout and stress were common. When she followed up, Limbago learned businesses werent taking them seriously, despite reports employees were working long hours and weekends without taking time off. More than 70% of respondents report working 41-60 hours each week; 10% work over 60.
They felt their leadership, or their company, interpreted [burnout] as not being committed to their job, as opposed to taking it seriously as a problem, she explains. Its something where organizations need to focus.
While stress was common, only one-third of respondents felt they were professionally challenged, followed by 28% who were somewhat challenged. Security can be stimulating but many tasks are redundant and dont leave time for critical thinking and technical skills.
Theres so much in processes that is so mundane to do hours and hours on end, day after day, especially things that could be automated by now, says Limbago. You could see how that leads to burnout.
Industry Culture
The cultural aspect is a key challenge for both attracting and retaining talent. Nearly all (85% of) non-male respondents had experienced some level of discrimination at professional conferences, and more than half had experienced harassment at those events, Limbago found.
On a corporate environment level, the numbers are lower but still bleak. Nearly 60% of non-male respondents had experienced discrimination at their company, and 44% had experienced harassment within their company or a company events.
Limbago, who has experience working in academia and national security, which also has few women, says she didnt notice the gender dynamics as much as she has in security. While she reports a great community at her own company, she says oftentimes the conference environment can be dispiriting.
Little things here and there, you get used to overlooking and ignoring [them], but over the years it builds up a lot, she says. Company culture becomes so much more important, she adds, and eventually internal corporate culture can affect conference culture as well.
Ill-Defined Career Path
Lack of professional advancement and growth was the main reason respondents left their previous roles, Limbago found, with 53% saying it was a key factor. Almost 20% of respondents cited limited advancement or growth as a factor when deciding to leave security.
So much is written about the workforce openings, the shortage, and how important tech leadership is, but so often the biggest pushback is a lack of career growth, she says. Good tech leadership is necessary, but companies dont provide the paths to prepare future leaders.
Security isnt necessarily a new industry, but its evolving quite a bit for many organizations. A lot of new corporations building infosec teams for the first time dont have resources to build big departments or a definite career track for the people they hire. When a team only has one or two members, those employees generally dont stay too long.
What can be done?
Limbagos research suggests acknowledging the need for time off and creating social events can make a tremendous difference in lowering burnout and driving inclusivity. Its important for this type of culture to start internally, with leadership buy-in to foster greater engagement.
She also emphasizes the need for more realistic performance metrics, which should not be based along the binary of breach or no breach. Metrics for security professionals should be more nuanced and include their successes and failures, and an understanding of the business threat model, while considering the availability of resources.
Retention will be an increasingly critical problem as the need for security professionals continues to grow. Data from
CyberSeek
, a free workforce and career resource from CompTIA and Burning Glass Technologies, reports US employers posted 285,681 cybersecurity job openings during the 12-month period ending in Sept. 2017.
Across all US jobs, there were 5.6 employed workers for each job opening from Oct. 2016 through Sept. 2017. In security, there are 2.6 employed workers per vacancy. This means the security talent pool would need to more than double overnight to meet the market average.
Related Content:
Hiring Outside the Box in Cybersecurity
Virtual Reality Could Serve as a Cybersecurity Recruiting Tool
4 Ways the Next Generation of Security Is Changing
Social Engineer Spills Tricks of the Trade
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity
agenda here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Burnout, Culture Drive Security Talent Out the Door