by Dr. Shuyler J. Buitron, DCS, MSIA, CISSP, MCSE
Even though the apparent and hopeful answer to the title question is ‘yes, information security does have a future,’ several challenges affect the future of information security, now commonly called InfoSec or cybersecurity. After a precursory look at several papers on the status of employment in cybersecurity (the industry), it appears that those already working in cybersecurity will have no problem staying employed, though some security workers often change jobs (Frost and Sullivan, 2015).
The major challenge facing the industry is that despite continued growth in job openings, the number of people entering the discipline lags behind the need (Frost & Sullivan, 2015; Morgan, 2017b; These 2018 Cyber Security Statistics Help Us, 2018). The lack of professionals to fill business requirements becomes a threat to the practice of cybersecurity in its own right (Security Guy Radio, 2016). As a growing percentage of security positions go unfilled, understaffed teams cannot give adequate attention to all of the tasks involved in protecting an organization. It takes longer to remediate systems after breaches, and practitioners end up in a reactionary stance rather than a proactive one (Frost & Sullivan, 2015).
The Need for Personnel in Security
Over the past five years, the personnel gap has gotten worse and continues to widen. In 2017, the United States Bureau of Labor Statistics estimated that “there were more than 100,000 open jobs for cyber security in the nation” (These 2018 Cyber Security Statistics Help Us, 2018). Each year the estimates of open jobs in information security rise even more (Morgan, 2017a).
The growing gap between the need for personnel and trained people to fill the openings generates additional difficulties. One of the complications that arises is increasing overtime work. Coupled with the fact that systems are constantly under attack, and strained departmental resources, people in the security business are working overtime to cover the immediate needs. This overtime happens without ceasing and is becoming a standard business operation. Requiring extra work time from cyber staff is a self-defeating solution.
Hardships Imposed on People Working in Cyber
I recently had a conversation with colleagues who are information security specialists. One of them expressed difficulty with working 50, 60, and 70-hour weeks. This type of work schedule is imposed on security staff because of tight budgets and close monitoring of operational costs. Spending one’s working life putting in excessive overtime is not only inconvenient and a hindrance to family life, but it is unhealthy and even deadly. Overwork can cause early death. In 2013, an ambitious Bank of America intern worked for 72 hours straight and then was found dead in his flat when he did not show up for work the next day. The man had died, presumably of an epileptic seizure (Hill & Ward, 2013). A young Japanese journalist worked 159 hours of overtime in one month, taking only two days off for the entire month. She died of heart failure in 2013; the story did not appear in the news until four years later (McCurry, 2017; News Corp Australia Network, 2017). Death from overwork happens frequently enough in Japan that there is a word for it: ‘karoshi,’ first used by a researcher to describe the phenomena in the late 1970s in Japan (Kanai, 2009).
A non-work related example of death from too much sitting at a computer desk happened to a young man in Russia. The 17-year-old had broken his leg and played a computer game nearly non-stop for 22 days (McCrum, 2015). The cause of death was deep vein thrombosis, also a danger to airline passengers on long international flights (Braithwaite, I., Healy, B., Cameron, L., Weatherall, M., & Beasley, R. (2016).
While it may seem a bit extreme to point out that workers can pay the ultimate price for working excessively, the facts directly affect the future of cybersecurity. Short-term overtime harms human health; overtime of 9 hours per week can have detrimental effects on wellbeing (Main, 2017). Multiple peer-reviewed studies show that overworking can cause a host of maladies from depression to obesity and heart disease (Cheng, Christiani, Jong, Kawachi, Lin, Lin, & Verguet, 2017; Goh, Pfeffer, & Zenios, 2017; National Health Service, 2015). How can the cybersecurity practice expect to continue if the work itself is killing off practitioners?
Excessive overtime may fill the security needs of an organization, however awkwardly. Requiring security professionals work extra hours as a standard keeps companies from hiring additional people in security roles. Standard overtime of 50, 60, and 70 hours a week burns out the staff and hurts the business of security. People who are overworked are more likely to make mistakes (Casey, 2005; Backon, Bond, Brownfield, Galinsky, Kim, & Sakai, 2004). Mandatory overtime causes people to shy away from joining cybersecurity. Several people that I know point out that overtime is a stress factor, and is a negative consideration for entering the discipline.
Budgets are small, there is too much work, and pay may be too low. These three factors contribute to overworked, sick, and burned-out workers. The pressures can lead to dissatisfaction and higher turnover. There ends up being no time to train new hires or cross train with other departments. Worst of all, salaried employees’ pay decreases with every overtime hour worked.
Because there are not enough men to fill the cyber roles at present, a security industry hiring expert, Deidre Diamond noted, “. . . we can’t manufacture more men” (Security Guy Radio, 2016). To fill the gap, the business needs women to step into the breach (Frost & Sullivan, 2017). Cybersecurity needs women, people of color, veterans, and people with a variety of backgrounds to not only fill the roles but also to bring different perspectives to the enterprise (Burrell & Nobles, 2017).
An organization in the United States that critically depends on alert and accurate personnel is the National Aeronautics and Space Administration (NASA). A NASA study conducted in the mid-1990s showed that planned naps taken by flight crews during slack times on long flights increased alertness in crew members, reducing errors and mistakes which could have been disastrous (Rosekind et al., 1994). The Rosekind et al. study was the source of coining the term “NASA Nap” (NASA Naps, 2005). After the Rosekind study, NASA made it their policy to allow long-flight crews and crews in space to take naps in-between times of heightened activity. Shouldn’t the people who work in information security and cybersecurity be afforded similar consideration since they are guarding business and national infrastructure in their work?
Some Companies Now Offer Nap Time to Employees
Several progressive companies recognize the proven correlation between adequate sleep and improved performance. These companies provide napping facilities within their office environments (Hauser, 2012; Ketchum, 2018). Three of the companies listed by Ketchum (2018) include technology companies, Cisco, PricewaterhouseCoopers, and Google. Information security and cybersecurity companies who insist on large amounts of overtime may do well to consider offering the same options to their staff members.
Cybersecurity needs a Sea-Change. A Sea-Change refers to transforming one thing into another by replacing its components, as in Shakespeare’s ‘The Tempest’ (1610). The Sea-Change is a positive transformation. Negative stories of overwork and burnout are hindrances to the progress of the industry. Overworked security teams could face a greater risk of breach. Yes, information security and cybersecurity DO have a future, but we have to work together to create more of a hospitable environment for those who are tasked to carry out the everyday duties of protecting businesses, and the infrastructure and data required to run our country.
Backon, L., Bond, J. T., Brownfield, E., Galinsky, E., Kim, S. S., & Sakai, K. (2004). Overwork in America: When the way we work becomes too much. Families and Work Institute. Retrieved from http://familiesandwork.org/downloads/OverworkinAmerica.pdf
Braithwaite, I., Healy, B., Cameron, L., Weatherall, M., & Beasley, R. (2016). Venous thromboembolism risk associated with protracted work- and computer-related seated immobility: A case-control study. JRSM Open, 7(8), 2054270416632670. http://doi.org/10.1177/2054270416632670
Burrell, D. N., & Nobles, C. (2017) Recommendations to develop and hire more highly qualified women and minorities cybersecurity professionals. Retrieved from EBSCO.
Casey, J. (2005). Work-family information on: Overwork. Sloan Work and Family Research Network. Retrieved from https://workfamily.sas.upenn.edu/sites/ workfamily.sas.upenn.edu/ files/imported/pdfs/EWS_Overwork.pdf
Cheng, Y., Christiani, D. C., Jong, S., Kawachi, I., Lin, C-K., Lin, R-T., & Verguet, S. (2017). The impact of the introduction of new recognition criteria for overwork-related cardiovascular and cerebrovascular diseases: a cross-country comparison. Retrieved from ProQuest.
Frost & Sullivan. (2015). The 2015 (ISC)2 global information security workforce study. Retrieved from https://iamcybersafe.org/wp-content/uploads/2017/01/FrostSullivan-ISC%C2%B2-Global-Information-Security-Workforce-Study-2015.pdf
Frost & Sullivan. (2017). The 2017 global information security workforce study: Women in cybersecurity. Retrieved from https://iamcybersafe.org/wp-content/uploads/ 2017/03/WomensReport.pdf
Goh, J., Pfeffer, J., & Zenios, S. A. (2017). Workplace stressors and health outcomes: Health policy for the workplace. Retrieved from https://behavioralpolicy.org/wp-content/uploads/2017/02/BSP_vol1is1_Goh.pdf
Hauser, A. (2012). The most sleep-friendly companies in America. Retrieved from https://www.everydayhealth.com/sleep-pictures/the-most-sleep-friendly-companies-in-america.aspx
Hill, A., & Ward, V. (2013). Bank intern who died after ‘working for 72 hours’ felt pressure to excel. Retrieved from https://www.telegraph.co.uk/finance/newsbysector/ banksandfinance/10255199/Bank-intern-who-died-after-working-for-72-hours-felt-pressure-to-excel.html
Kanai, A. (2009). Karoshi (work to death) in Japan, Journal of Business Ethics, 84, pp. 209–216.
Ketchum, D. (2018). You can nap on the job at these 10 companies. Retrieved from https://www.gobankingrates.com/making-money/jobs/companies-allow-napping-at-work/#8
Main, D. (2017). Irregular heartbeat? You may be working too much, study says. Retrieved from https://www.newsweek.com/working-long-hours-raises-risk-irregular-heartbeat-study-says-636534
McCrum, K. (2015, September 3). Tragic teen dies after ‘playing computer for 22 days in a row:’ The 17-year-old had broken his leg and was playing game Defence of the Ancients almost continuously more than three weeks. Retrieved from https://www.mirror.co.uk/news/world-news/tragic-teen-gamer-dies-after-6373887
Morgan, S. (2017a). Cybersecurity Jobs Report 2018-2021: Cybersecurity Ventures predicts there will be 3.5 million cybersecurity job openings by 2021. (May 31) Retrieved from https://cybersecurityventures.com/jobs/
Morgan, S. (2017b). Cybersecurity labor crunch to hit 3.5 million unfilled jobs by 2021: The cybercrime epidemic is expected to triple the number of open positions over the next five years. (June 6). Retrieved from https://www.csoonline.com/article/3200024/security/ cybersecurity-labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.html
McCurry, J. (2017, October 5). Japanese woman ‘dies from overwork’ after logging 159 hours of overtime in a month. Retrieved from https://www.theguardian.com/world/ 2017/oct/05/japanese-woman-dies-overwork-159-hours-overtime
NASA Naps. (2005). NASA Science Beta. Retrieved from https://science.nasa.gov/science-news/science-at-nasa/2005/03jun_naps
National Health Service. (2015). Working long hours ‘increases stroke risk.’Retrieved from https://www.nhs.uk/news/neurology/working-long-hours-increases-stroke-risk/
News Corp Australia Network. (2017, October 6). Japanese reporter dies after working 159 hours overtime in a month. Retrieved from https://www.news.com.au/finance/work/ japanese-reporter-dies-after-working-159-hours-overtime-in-a-month/news-story/8975f3d0783a824e469db2b89eb68a7f
Rosekind, M. R., Graeber, R. C., Dinges, D. F., Connell, L. J., Rountree, M. S., Spinweber, C. L., & Gillen, K. A. (1994). Crew factors in flight operations 9: Effects of planned cockpit rest on crew performance and alertness in long-haul operations. NASA Ames Research Center. Retrieved from https://ntrs.nasa.gov/search.jsp?R=19950006379
Security Guy Radio. (2016, September 27). #CyberSN with Deidre Diamond at #BlackHat 2016[Video File]. Retrieved from https://www.youtube.com/watch?v=Mt9ZUosR2sI
Shakespeare, W. (1610-1611). The Tempest. Retrieved from http://shakespeare.mit.edu/tempest/full.html
These 2018 Cyber Security Statistics Help Us Better Understand Career Demand (2018). Retrieved from https://woz-u.com/these-2018-cyber-security-statistics-help-us-better-understand-career-demand/