The so-called ‘great resignation’ currently upending the U.S. labor market is starting to affect cybersecurity programs with a growing number of senior leaders opting for early retirement and mid-level managers leaving in droves for less stressful, fully remote work opportunities.
According to new data from the Labor Department, the number of Americans quitting their jobs is the highest on record. In November last year, more than 4.5 million people voluntarily quit their jobs, causing major disruptions in certain sectors like retail and hospitality.
It’s no different in cybersecurity where job sites are recording a surge in job listings, much like the “Help Wanted!” signs popping up on storefronts and restaurants everywhere.
“We are seeing people burning out and getting frustrated. We’re doing a lot of ad-hoc counselling, especially mid-level managers in the bigger companies,” says Michael Piacente, co-founder of Hitch Partners, a firm that conducts executive searches in information security.
“We’re not yet seeing mass-resignations being a big problem at the very senior levels. Sure, we are seeing some early retirements at bigger companies and some serial-CISOs going the virtual-consulting route, but it’s mostly affecting the junior levels,” Piacente said in an interview with SecurityWeek.
“We’re not to the point where senior folks are leaving security to go open a flower shop. That’s not what’s happening,” Piacente said. “We’re starting to see some CISOs retiring early or saying ‘hey, I want to go do a virtual CISO gig’ to get away from the everyday grind.”
“It’s not happening in droves, but it’s happening, especially with the serial-CISOs who’ve been around the block.”
Multiple CISOs polled for this article confirmed staff churn tied to pandemic-induced resignations and exhaustion from the ransomware and supply chain security crises that erupted throughout 2021.
“Quite frankly, security teams are exhausted. It’s been two years of trying to cope with all the incidents while dealing with mental anxieties from the virus. Of course people are thinking about quitting,” said one CISO at a publicly traded financial services firm who requested anonymity to speak freely about frustrations in his program.
“I’ve had a noticeable number of resignations where folks left without another job lined up,” he said, noting that the rate of quitting has been noticeable in teams doing incident response and everyday blocking-and-tackling of security threats.
“If you are in the packet mines, you’re likely exhausted. If you’re in a security program that isn’t supporting you properly, you’re probably already interviewing somewhere else. That’s where we are as an industry.”
According to Andy Ellis, a security leader who recently left Akamai after a 20-year run, managers who aren’t great leaders are continuing to rely on “high friction tools” that do not scale well in the new distributed work environment.
“I suspect that employees have built and adopted for themselves more robust lateral communication channels like Slack or Discord that aren’t tied to their employers. This enables teams in distress to support each other, and then, as people move, to show that the grass really is greener on the other side,” Ellis said.
He noted that the initialization cost to change companies is now really low. “You can interview in between meetings at your old employer. When you do change, you don’t even have to pack up your office, since you can keep the same one!”
Rob Fry, a veteran cybersecurity executive with experience at enterprises and early-stage startups, believes the ‘great resignation’ benefits cybersecurity in the long run as salaries and working conditions improve but he warned that small- and mid-sized companies will struggle to compete for quality talent.
“It’s much harder to hire good talent in the startup world. The [salary and stock] divide is too wide. Startups have to hire younger people and invest in them but, even then, you barely have them for about five years before they leave for a bigger company. “Some companies will always be able to pay better and give out those RSUs that attract the top people. Some smaller companies simply can’t and that’s leading to even more churn,” Fry explained.
This means that startups are turning to third-party service companies to augment security staff, Fry added. “It’s sometimes easier to get a services contract processed than to get a headcount approved. Do the hard thing for me because I can’t afford to find the right people.”
Hitch Partners’ Piacente agrees, warning that churn has degraded the quality of job seekers seeking leadership roles. “Because there are so many leadership openings, the level of quality of talent is trending down. Most companies go into a search with good intentions but the interview and evaluable processes are so bad, they’re hiring CISOs who have never managed a security person or been around security in any way.”
On the flip side, Piacente is observing a trend where CIOs and IT leadership are looking at cybersecurity as a landing spot. “[The CIOs and IT folks] have already had a taste of it and are starting to find application security is really interesting. They know how to solve problems. They know how to build teams. I’m expecting to see more IT people moving into security.”
Piacente said developers with an engineering mindset are sliding over to the product security side of things, a trend that could help mitigate ongoing staff shortages in both the public and private sector.
“It’s a strong job seekers’ market. There are simply more companies in need of a specific skill set that there are people available to do it,” Piacente declared, noting that companies are starting to see the value in larger security teams.
“We’re seeing budgets shift towards bigger security teams, even at the smaller companies. It’s not unusual for a startup with 400 to 500 people to hire a CISO and not expect him to build a 50-person team,” Piacente added.
Even as organizations revamp operations and change rules on allowing remote work, Piacente notes there are lingering limitations. “Even if they’re okay with remote work, they prefer a candidate in the same time zone. Some are requiring that work-from-home staff spend two weeks per quarter in the office.”
“Geography still affects hiring,” Piacente declared