We must consider cybersecurity professionals during the pandemic.
The Covid-19 crisis has led us into dangerous cybersecurity waters in more ways than one.
No matter how much we think we know about the so-called ‘new normal’, including the fact that there’s nothing normal about it, new issues continue to arise from the Covid-19 pandemic.
While the Government is making daily decisions about how to mitigate the virus and businesses are figuring out how to survive the economic effects, every industry is facing its own unique challenges that are regularly changing.
One sector in particular that has been in the spotlight is cybersecurity. Ever since the mass move to remote working several months ago, industry experts have spoken about accelerated digital transformation, the implications of using cloud computing and the increased cyberattacks everyone needs to look out for.
Just last week, a new report from Interpol highlighted the increase in cyberattacks, with its secretary general warning that cybercriminals are developing and boosting their attacks at an “alarming pace”.
While it’s vital to shine a light on these developments and heed the warnings, we must also consider the effects that all of this is having on IT and cybersecurity professionals. When virtually every office-based business sent their staff home to work remotely for the foreseeable future, it was often left to infosec teams to ensure the business was still secure and that employees could access their systems safely and securely, but also quickly.
I discussed this last week with infosec expert Brian Honan, who said that some security teams were working flat out for several days at the beginning of the pandemic, organising VPN access, reconfiguring systems and moving entire workforces to the cloud.
The high-pressure work didn’t end for them there either, Honan pointed out, as remote systems need to be maintained and that maintenance has moved away from a centralised office system. “Supporting users in a remote environment can be much more challenging as well, so the workload has increased a lot,” he said.
Add to this the more sophisticated and rampant cyberattacks from criminals who are boosting their efforts to take advantage of the pandemic, and you are left with a security workforce under extreme pressure.
When you take all of this additional work into account, it’s no wonder that security professionals may be starting to feel the effects of burnout. In a recent survey commissioned by cybersecurity company SIRP Labs, 42pc of security professionals said they feel the pressure has intensified, while 34pc said work-life balance has been disrupted. The report also suggested that half of first-time security analysts working in security operations centres plan to leave after just three months in the job.
Even outside of these additional pressures, cybersecurity has always been psychologically taxing. We previously spoke to Chris Schueler from Trustwave about this and he said the “grey nature” of cybersecurity doesn’t lend itself to a very structured work environment.
However, there’s another element that has been affecting the industry for a number of years now and recent developments suggest it may be about to get a whole lot worse: the cybersecurity skills gap.
The lack of sufficient infosec professionals has been discussed many times before. Last summer, research from job site Indeed highlighted the continuing shortage of IT and security professionals in Ireland, and in February of this year a survey of 500 CISOs showed 62pc of respondents expect the global cybersecurity talent shortage will get worse over the next five years – and that was before Covid-19 had begun to spread in Ireland.
‘Making cuts to the cybersecurity team means those who are left behind will be under even more pressure with the workload that’s left’
In spite of these fears, it looks like cybersecurity teams could be set to get even smaller. Last month, a PwC survey suggested that IT investment could fall by more than 20pc in the coming years.
In its latest European CIO survey, PwC found that while the transition to working from home has worked well for many, IT investment is likely to suffer. On a slightly more positive note, those surveyed identified improving cybersecurity and privacy reliance as a new priority in the coming years.
However, Honan expressed concern about this, saying he has already seen a reduction in security teams.
“Many companies, due to the pandemic, are downsizing and are actually cutting their cybersecurity teams, so we have a lot of cybersecurity professionals being let go and, despite the much-hyped cyber skills gap that was around pre-pandemic, those people being let go aren’t being hired very quickly,” he said.
While these cuts may not be surprising during such an economically stressful time, making cuts to the cybersecurity team means those who are left behind will be under even more pressure with the workload that’s left. Without being able to alleviate that pressure, security professionals are facing burnout, which will cause even bigger security problems for companies down the line.
So, with all that in mind, what do companies need to think about? Firstly, they need to be careful about reducing the size of their IT security teams. While the pandemic has forced many businesses to make tough choices and cuts, it’s important to think about the long-term effects of each one, especially when it comes to security.
Businesses must also understand the level of pressure their security professionals are under and check in for signs of burnout. Any burnt out worker or team is going to become less productive, less focused and might even end up leaving. But in the area of cybersecurity, these situations can lead to much bigger problems for the organisation.
While leaders must think about digital transformation and cloud computing, they must also make sure their remote workforce is safe and their systems are secure. These areas are often deferred to the cybersecurity team and it can be easy to forget about how additional challenges are affecting these professionals. But in order to truly protect your systems, your employees and your business, you must ensure you are protecting your cybersecurity team.