Burnout among information security (InfoSec) professionals is a prevalent cause of staff turnover, as highlighted by a recent Kaspersky study that included participants from the META region (Saudi Arabia, UAE, Turkiye, South Africa, Nigeria and Egypt). The growing complexity of the cyberthreat landscape and the persistent skills shortage exacerbate this issue. Companies face significant challenges in recruiting and retaining experienced InfoSec professionals, primarily due to compensation issues, inadequate working conditions, lack of management support, and frustration over limited access to the latest technologies and tools.
The study reveals that 40% of companies’ cybersecurity teams are understaffed. Despite finding adequately qualified professionals, retention remains difficult, particularly for mid- to senior-level positions. Experienced professionals are challenging to find, recruit, and retain due to high demand and limited supply.
Recruitment challenges and timeframes
The demand for experienced cybersecurity experts far outpaces the supply, leading to prolonged recruitment periods and high turnover rates. Junior cybersecurity staff positions are typically filled within six months (70%), while only 3% of roles take more than a year to fill. In contrast, staffing senior positions is much harder, with more than half of companies (58%) taking between four and nine months to find suitable candidates, and 36%, nine months or more. Only 6% of roles are filled in one to three months.
Tenure correlated with expertise
There is a strong correlation between the level of expertise and tenure. Senior InfoSec professionals tend to stay longer in their roles, with 49% remaining in top-level positions once achieved. Conversely, junior employees have a higher turnover rate, with most staying three to four years and only a small fraction (3%) remaining beyond five years.
Resignation reasons
Key factors contributing to InfoSec professionals leaving their positions include personal (human) reasons such as compensation issues, inadequate working conditions, and lack of management support. On the expert level, professionals often cite the need for continuous skills development and frustration with not having opportunities to work with the latest technologies and tools.
Professional dissatisfaction is the leading cause of resignations, with lack of growth opportunities being the primary reason (59%). Lack of management support and monotonous work are also significant factors, causing 50% and 49% of professionals to leave, respectively. High stress levels and inflexible working policies further contribute to the turnover.
One important finding is that 46% of experts are dissatisfied due to the lack of opportunity to work with the latest technologies and tools. This is a fairly high percentage, and in many ways, depends on how the company builds its cybersecurity systems: does it pay attention to employee development? Does it allocate money for various processes, or interact with the market and other experts, etc.?
The burnout factor
Burnout is a critical issue among InfoSec professionals and is closely tied to the way a company builds its cybersecurity systems. It is not just the result of one stressful incident or working long hours. Rather, burnout is a state of physical, emotional, and mental exhaustion, driven by repeated stress. Individuals experiencing burnout often feel that nothing is functioning properly and that they are accomplishing very little. This chronic stress, driven by a combination of monotonous work and constant monitoring of security alerts, can lead to a severe state where individuals can no longer function effectively on a personal or professional level.
The insidious nature of burnout is that it develops gradually, often fooling hard-working professionals into believing that living in a constant state of stress is normal and acceptable. As a result, it can be difficult for individuals to recognise and address it early on.
To combat burnout, companies must rethink their approach to managing InfoSec teams. They need to find ways to relieve the stress faced by InfoSec professionals, provide them with tools to alleviate pressure, and offer support and feedback. Automation plays a key role in this process, significantly reducing the daily burden on professionals by handling repetitive tasks such as monitoring alerts, analysing logs, and responding to low-level threats. This shift allows professionals to focus on more complex and rewarding tasks, enhancing job satisfaction and career growth.
Strategies to retain employees and support their well-being
Kaspersky recommends the following strategies for companies to mitigate burnout and support InfoSec teams:
- Relieve stress and make work more rewarding by implementing reward systems and recognition programmes to boost morale.
- Evaluate staff and provide regular feedback through continuous performance evaluations and feedback to help professionals feel valued.
- Ensure management support by providing support in both routine and complex tasks to ensure employees feel backed by their leadership.
- Rotate employees’ roles and manage workloads to prevent monotony and reduce stress.
- Automate processes by leveraging automated solutions for routine tasks, which eliminates the burden on professionals. Solutions such as Kaspersky Next XDR Expert can reduce monotony and free InfoSec professionals for more rewarding strategic work.
- Invest in additional training by offering professional development and ongoing educational programs such as Kaspersky Expert training to keep skills current and employees engaged.
By addressing these factors, companies can better manage burnout among InfoSec professionals, improving retention and job satisfaction.