Arguably the biggest challenge facing the cybersecurity industry is the shortage of skilled professionals. The worldwide skills gap is much debated, with organizations not having enough viable candidates to fill vacant positions. Most estimates suggest there are millions of unfilled cybersecurity positions worldwide.
However, the root of the problem is not availability of candidates, but the ability to retain skilled, experienced employees. More colleges and universities are offering cybersecurity courses, and online learning programmes continue making cybersecurity fundamentals more accessible than ever – a far cry from how many older professionals first cut their teeth in the industry. But ultimately, no certification or e-learning is a substitute for hands-on experience. While more people are attempting to enter the industry, specialist disciplines and mid-level positions pose challenges for recruitment and retention.
It can take six months to a year for a new cybersecurity analyst to become proficient, while the typical lifetime of a security practitioner working in a typical operating model is around two years – leaving only a narrow window in which employees can add real value to the company.
Data shows skilled and experienced professionals are leaving the industry due to burnout and disillusionment. In the UK, the cybersecurity workforce reportedly shrank by 65,000 last year, and according to a recent study, one in three current cybersecurity professionals are planning to change professions.
According to ISACA’s State of Cybersecurity 2022 report, the top reasons for cybersecurity professionals leaving include being recruited by other companies (59%), poor financial incentives (48%), limited promotion and development opportunities (47%), high levels of work-related stress (45%) and lack of management support (34%).
When discussing the skills shortage, many, by default, think of businesses struggling to recruit for their internal cybersecurity vacancies. However, this is equally challenging for specialist providers of consulting and managed cybersecurity services. Businesses increasingly rely on third-party managed services, particularly mid-size organizations, where outsourcing to a Managed Security Service Provider (MSSP) represents a much more commercially viable solution with considerably less up-front investment.
The global managed security services market size was valued at $22bn in 2020 and is projected to reach $77bn by 2030, growing at a CAGR of 14% from 2021 to 2030 – a sizeable chunk of the projected total cybersecurity market size of $376bn.
For many MSSPs, resource scarcity is driving comparatively higher rising costs of employment, which in turn is contributing to an unhealthy working environment, characterized by an excessive workload and long, unsociable working hours.
Several factors are driving an unhealthy working environment. Arguably the most impactful is the unsustainability of many MSSP operating models, which rely heavily on manual analysis of vast numbers of security events and alerts. Aggressive customer acquisition and business growth strategies coupled with a model that is not inherently scalable, while needing to maintain price competitiveness, naturally means these organizations must extract more from their employees to maintain profitability. In a typical large-scale MSSP, the ratio of analysts to clients does not support delivering a high-quality service.
Many monitoring solutions of different types – (e.g. SIEM, SOC, SOAR, XDR) – rely heavily on automation to scale beyond the limits of a human-driven model. However, product-centric ‘silver bullet’ solutions are being increasingly found out in the wake of rising incident numbers related to ransomware operator activity, raising awareness among security solutions buyers that they aren’t getting the service and protection levels they thought.
How Can Service Providers Tackle Burnout?
It is important that service providers look to adopt models which deliver real security advantages without burdening analysts with excessive workload. We believe achieving this will make cybersecurity service providers remain attractive to skilled professionals, creating a model that beats the trend of analyst burnout.