The real cause of the talent shortage in the information security field isn't a lack of new people entering the profession, but retention and churn at the highest levels, according to a new report by IDC.
"It's a fairly common theme to suggest that we have better training in colleges, certificate courses, and all that sort of thing for entry-level folks," said IDC analyst and report author Pete Lindstrom.
But in fact, at the entry level, expectations are basic and companies are willing to be flexible, are open to diverse backgrounds, and can train new hires.
Jobs that require less than five years of experience are filled within just three months 85 percent of the time, and 99 percent are filled within six months, according to the IDC survey of senior infosec executives.
"But we seem to hit this tipping point when we look for more experienced security professionals," he said.
Jobs that require more than ten years of experience take longer to fill -- 21 percent take a year or more. And when it comes to jobs that require 20 or more years of experience, nearly half take more than a year to fill.
"My hypothesis is that it's because people bail," said Lindstrom. "They leave the security space after they get a taste of what security is all about."
Information security breeds a culture of paranoia, performance is measured based on whether there's been a breach, and the salaries aren't high enough to compensate for the stress.
"You get sick of it," said Lindstrom.
Paranoia, the destroyer
People who work in other technology fields get to grow systems, improve productivity, create technology to bring in new business.
That's not the case in infosec.
"Inside the profession, we often have a tendency to promote paranoia," said Lindstrom.
There's also a culture of antagonism between security requirements and what everyone else at the company wants to have.
"That drives people further and further away from what businesses need," he said. "And everything we do is in the negative frame."
There are other stressful jobs out there, but people switching into information security often find the stress to be even higher, said Andy Ellis, CSO at Cambridge, Mass.-based Akamai Technologies Inc.
In most high-stress careers, like hostage rescue or firefighting, the stress is there but focused in narrow scenarios with clear endpoints, he said.
Plus, firefighters, doctors, trial lawyers, middle-school teachers and others in stressful careers do occasionally get clear wins -- they save lives, win cases, or reach difficult students.
There are no clear wins in information security.
In addition, infosec professionals are responsible for areas where they don't have any control, Ellis added. "And that difference leads to unmanaged stress."
Another source of stress is that the job itself has changed dramatically over the past decade, said Tammy Moskites, CISO and CIO at Salt Lake City-based Venafi. She had previously served as the CISO at Home Depot -- before their big breach -- and at Time Warner Cable.
"It used to be about locking everyone out," she said. "Our metrics were all about how many viruses you blocked out."
But recently, CISO have had to deal with regulatory compliance and other business areas.
"The burnout of CISOs occurs when they're not qualified to work in these new areas," she said.
"In general its very difficult to find qualified CISOs that have more than just the technology, but the business background they need to be successful," she added. "And they're going to become harder and harder to find."
It's also hard to find qualified seniors managers, she said.
"We have a zero unemployment rate in the profession right now," she said. "It's hard for us as CISOs to find good people to work under us. And the CISO who tries to do the whole job themselves is the one who gets burned out."
To fight the unbeatable foe
Given the variety of cyberthreats faced by enterprises today, combined with the human failings of employees, it is unrealistic to expect that a company can have perfect security and never be breached.
CSO should be evaluated based on how much they've decreased a company's overall risks, and at what cost.
But that is a difficult metric to calculate. Meanwhile, the details of the latest breaches are conveniently available in the news headlines.
Accoding to IDC, 12 percent of CISO surveyed said they believe they would be fired after a breach.
"I do agree that some of my colleagues do operate under the 'was there a breach' metric," said Kyle Kennedy, CISO at CyberSN, an infosec staffing firm.
"They often must take the blame for the security breach, even though there could be a million reasons why it wasn't their fault," he added.
Those reasons include lack of staffing or funding, or a lack of senior leadership support for security, he said.
While some CSOs are finding ways to communicate security risks in business language to their boards and other senior executives, others actually make the situation worse, he said, by making comforting but unrealistic promises.
"Quite often that is the mentality of many CISO’s and CSO’s to their business leadership," he said. "We will be 100 percent secure. We will not have a breach. The phrases go on and on."
CISOs need to have a clear conversation up front with their boards and senior executives about what the company will do in the case of a major breach, said Todd Bell, CISO at Los Angeles-based consulting firm Intersec Worldwide, Inc.
"If a CISO is going to get blamed for a cybersecurity breach, this can have a devastating impact for a CISO’s career and possibly force a career change," he said.
It's just not worth the money
So the CSO jobs are stressful, the expectations are unrealistic, and there could be a big embarrassing career-ending breach at any moment. But at least the money is good, right? Right?
"Lots of people think that salaries are higher than other IT jobs, but from I can tell, they aren't," said IDC's Lindstrom.
According to Payscale.com, the average CISO with more than 20 years of experience earns about $156,000 a year -- compared to $185,000 for a CIO with the same number of years in the industry.
The way out
Other than leaving the profession, what is a stressed CSO to do?
Happy CSOs recommend broadening horizons to think about the bigger business picture. Putting security projects in business terms such as lowering risk, increasing productivity, or becoming more competitive in the market can help the CSO make allies in other business units, make it easier to get funding, and helps translate security in terms others at the company can understand.