IT’S A PEOPLE PROBLEM

We tend to think of cybersecurity events, like incursions, breaches, and ransomware attacks, as largely caused by failures in technology. But Gartner’s figures paint a different picture where over-stressed cybersecurity leaders are increasingly thinking of quitting. The numbers also highlight how under-resourced employees are bypassing organizational protections and exposing stakeholders to unacceptable risk.

The report suggests that by 2025, almost half of all cybersecurity leaders will have moved on from their current jobs – and 25% of them will exit the cybersecurity space entirely, largely because of stress.

Gartner Director Analyst, Deepti Gopal, puts it starkly: “Cybersecurity professionals are facing unsustainable levels of stress. CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do. The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.”

Coupled with a hot cybersecurity talent market, Gartner says insufficient attention to human factors poses a major threat to the ability of security teams to keep their organizations safe. The research suggests a number of factors are hampering organizations’ ability to prioritize security risk management and align it with ongoing business success. These factors include:

• Compliance-centric security programs
• Low levels of support from C-level and executive leadership
• Sub-par industry-level maturity

The research firm says talent within organizations that exhibit these factors are more likely to head for the exits and seek out opportunities where they feel they’ll be recognized for the value they bring to the table. Gopal pulls no punches in explaining the importance of culture to organizational performance – and the costs of failing to prioritize human factors:

“Burnout and voluntary attrition are outcomes of poor organizational culture. While eliminating stress is an unrealistic goal, people can manage incredibly challenging and stressful jobs in cultures where they’re supported.”

THE COSTS ARE FRIGHTENING

While some leaders may scoff at the importance of culture or other seemingly soft aspects of organizational performance, the report includes some dire predictions about the bottom-line cost of poor organizational culture. By 2025, the research firm predicts over half of all significant cyber incidents will be caused by human factors! 

This should come as no surprise, as cyber threat actors are keenly aware of the stresses people are under – and are increasingly targeting vulnerable, sub-optimally trained humans.

Potential victims aren’t helping matters much: 69% of respondents to Gartner’s survey deliberately bypassed their organization’s cybersecurity guidance over the previous year, while 74% of them said they’d be willing to do so “if it helped them or their team achieve a business objective.”

Gartner’s Paul Furtado, VP Analyst, highlighted the delicate balancing act most organizations and their employees face as they try to be both secure and agile.

“Friction that slows down employees and leads to insecure behavior is a significant driver of insider risk,” he said.

BUILD THE RIGHT CULTURE

The answer to this challenge isn’t as simple as implementing some new technology or launching a single project. Evolving corporate culture takes time and energy – which may be in shorter-than-usual supply as economic turbulence continues to grow.

But the cost of failure is infinitely higher, and organizations in all sectors must address these areas of weakness to minimize their exposure to ever more damaging and costly cyber threats.

Work with HR and other talent management experts within the organization to focus on the softer side of cybersecurity. Take the time to understand how changes to cybersecurity policies and platforms impact human factors as well as leadership. Also recognize how cybersecurity changes affect day-to-day operations – and monitor carefully to ensure unchecked stress isn’t prompting the best and the brightest to head for the exits.

Invest in appropriate training, seek input from staff on what they need to succeed and where they see the organization falling short. Implement reward and recognition programs to validate successes and maintain engagement, and prioritize the creation of a cybersecurity-first positive culture.

THE BOTTOM LINE

The success of any organization’s cybersecurity roadmap is more dependent than ever on the people hired to design and implement the roadmap. At the same time, cybersecurity talent is in historically short supply, making it ever more crucial to hang on to the leaders and experts already on-staff.

Failure to do so could unnecessarily expose the organization to greater risk of falling victim to a crippling cyber event – because the people who would prevent it in the first place aren’t sticking around.

The solution is culture – an area we’ve worked diligently on throughout much of our organizational history. Reach out on LinkedIn if you’d like to discuss ways to bolster your own cybersecurity culture and keep your most valuable assets – your people – focused on keeping everything and everyone else safe.