Burn-out
Since covid, chief information security officers (CISOs) when gathering have been ready, readier than their physical security counterparts, to talk about ‘burn out’ – the stress of the job, while sometimes stimulating, being more than some can, or want to, handle. According to research commissioned by a cyber vendor, nearly a quarter, 24 per cent, of CISOs or IT security decision makers (ITS DMs) surveyed in the UK and United States are actively looking to leave their position. A further 54 per cent, while not actively looking to quit, are open to new opportunities, according to Blackfog. As for why that majority is considering leaving their role, nearly all, 93pc state that the stress and demands are affecting their decision. When asked about their typical working week, nearly everyone, 98pc, reported that they work more than their contracted hours. On average, they are clocking up an extra nine hours each week.
Dr Darren Williams, CEO and founder of BlackFog, said: “These findings validate the turnover we witness in the market every day, compounded by the lack of resources and tools to combat new AI based threats. The cost and time involved in replacing senior level security leaders is considerable so it’s absolutely essential that organizations address the root cause of stress to reverse the cycle of churn.”
Workforce ‘gap’
ISC2 – the membership and certification body for cybersecurity people – estimated the global cybersecurity workforce ‘gap’ at 4.8 million people, or a 19 per cent year-on-year increase. The global cyber workforce growth has slowed for the first time since ISC2 began estimating the workforce size six years ago, holding at an estimated 5.5 million people (a 0.1pc year-on-year increase). This contrasts with last year, when the workforce grew 8.7pc year-on-year despite declining economic conditions. ISC2 Executive Vice President of Corporate Affairs Andy Woolnough said: “The ISC2 Cybersecurity Workforce Study highlights a concerning perception among cybersecurity professionals. After two years of declining investment in hiring and professional development opportunities, organizations are now facing significant skills and staffing shortages – an issue that professionals warn is heightening overall risk.
“At a time when global instability and emerging technologies like AI are rapidly increasing the threat landscape, investment in skills development and the next generation of the cyber workforce is more crucial than ever. This will enable cybersecurity professionals to meet these challenges and keep our critical assets secure.”
Investment in cyber
Christian Toon, Head of Cyber Professional Services at the law firm Pinsent Masons, says: “Investment in cyber should always be a risk-based decision, the appetite for risk can and does change. Some organisations are using the current economic climate to re-evaluate this. If organisations can’t spend more, they are instead considering how their current spend can be more effectively used – such as support from other budget holders.”
An interesting trend is a relative openness compared with physical security for cyber people to talk about their response (months-long, long hours and painfully stressed) to a cyber attack. At the British Library, pictured, which a year on from its October 2023 attack was still restoring services, let alone working on cyber resilience, chief executive Sir Roly Keating has published as blogs updates on the Library’s website. Partly, that’s simply courtesy and explaining to library users why services aren’t as usual; partly, society is becoming ever more accepting of cyber attacks. Partly, such openness informs the public of the risks of bad cyber hygiene; and adds to the store of knowledge, among IT people, non-specialists and the public alike. To give only two recent examples, Stuart Morgan, IT director, Portsmouth College was among invited speakers at the JISC security conference covering academia in November, on ‘living through a cyber attack, in the hope that should the worst happen you are prepared’; and at Andy Davis of Trident Manor’s heritage resilience conference in October, Jen Kaines of Royal Armouries Leeds gave ‘lessons learned’ likewise. A University of Manchester data breach was featured in the February edition of Professional Security Magazine. A year on from the 2023 attack, the uni’s chief information officer (CIO) Patrick (PJ) Hemmaway admitted that ‘we’ve still got a little bit of PTSD’. As for prospects, he said: “I know something will happen, but I don’t know what the scale will be” and “it’s my job to make sure we’re protected as best as we can be.”
Titanic mindset
An IT recovery company makes the point that some have a ‘Titanic mindset’ when it comes to data recovery. Stephen Young, Executive Director at Assurestor, says: “Organisations are thinking they’re unsinkable – until they’re not. The recent global outage, while not a traditional data hack, has been estimated to cost businesses up to $1.5 billion and is proof that no organisation can afford to be complacent regarding downtime. Closer to home, last year’s Rhysida attack at the British Library highlights the impact of a cyberattack on an organisation operating with legacy systems and security in today’s aggressive cyber environment.
“Absolute reliability in your systems and data recovery is non-negotiable. If there is even an iota of doubt, it’s an open door for challenges. This uncertainty needs to be identified and addressed before disaster strikes. The fact that only just over half of respondents think their data is recoverable is a concern; this figure should be much nearer to 100 per cent. Otherwise, how can your ‘readiness for recoverability’ be reported confidently to the board and senior stakeholders? Confidence comes from identifying a company’s realistic needs, without compromising on cost – and thoroughly testing, repeatedly.”
A HackerOne-sponsored SANS Institute report on the impact of AI on cybersecurity found that over half (58pc) of respondents predict AI may contribute to an “arms race” between the tactics and techniques used by security teams and the criminals. The research also found optimism around the use of AI for security team productivity, as 71pc reported satisfaction from implementing AI to automate tedious tasks. However, respondents believed AI productivity gains have benefited adversaries; and were most concerned with AI-powered phishing campaigns (cited by 79pc of those responding to the survey) and automated vulnerability exploitation (74pc).
Matt Bromiley, analyst at the SANS Institute, said: “Security teams must find the best applications for AI to keep up with adversaries while also considering its existing limitations — or risk creating more work for themselves. Our research suggests AI should be viewed as an enabler, rather than a threat to jobs. Automating routine tasks empowers security teams to focus on more strategic activities.”
Given the ever-expanding surface of cyber vulnerabilities, more than three-fifths (66pc) of tech people surveyed by the audit and business services firm PwC rank cyber as the top risk that their organisation is prioritising for mitigation over the next 12 months. According to PwC’s 2025 Global Digital Trust Insights survey, the top four cyber threats found most concerning — cloud-related threats (cited by 42pc of those surveyed), hack-and-leak operations (38pc), third-party breaches (35pc) and attacks on connected products (33pc) — are the same ones that security executives feel least prepared to address. As for drives to spend on cyber, there’s carrot – cyber resilience can be a differentiator for competitive advantage, and keep customer trust and brand integrity, PwC suggests; and stick – regulators increasingly pay attention to cyber.
