A cybersecurity worker identifies an issue.
Image: leowolfert/Adobe Stock

It is well known that the cybersecurity field faces vacancies and a skills gap . Unfortunately, relief may not come soon, if research firm Gartner’s predictions hold true that fully a quarter of security leaders will depart the cybersecurity field entirely by 2025 due to work pressures.

In a new report , the firm predicts that nearly half of cybersecurity leaders will change jobs, and that by 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents.

Jump to:

Don’t ask cyber staffers ‘Why so serious?’

Deepti Gopal, director analyst at Gartner, said cybersecurity leaders are burning the candle at both ends to balance technology needs, business needs and environmental needs in order to maintain or improve their organization’s security.

“While they are in the rush to achieve this they are really spread thin,” Gopal said. “If you look closely at today’s world, the hybrid work environment is everything; that also impacts the cybersecurity leaders, adding complexity to their work and the way they strategize.”

She added that “work life harmonization” adopted by IT amounts to dissolving the membrane between work and non-work, particularly as work and home are in the same location.

“If you listen to cybersecurity leaders, you’ll hear things like ‘I start my day with work, emails, alerts, and coffee,’ and ‘I work with a group of All Stars who are always available,’” Gopal said. “They don’t complain about the workload. These are all elements that indicate the presence of high stress, high demand.

“But, there is a loss of control or inability to have a sense of control on their work-related stress — the inability to protect their time for the things that matter the most. I like to ask leaders to jot down the things that they absolutely do in the coming week and then look at their calendars, most often they tell me that they haven’t carved out any time for the tasks on their list!”

Cybersecurity teams undervalued at companies that move fast and break things

Gartner research shows that compliance-centric cybersecurity programs, low executive support and subpar industry-level security are all indicators of an organization that does not view security risk management as key to business success. Gopal said such organizations are likely to see cybersecurity talent leave for companies where they are more appreciated — where their impact is felt and valued.

“When the organization is charged to move fast, there will be situations where security is not top of mind; that needs to change,” Gopal said. “We need to see cybersecurity as intrinsic to digital design.”

SEE: 10 cybersecurity predictions for tech leaders in 2023 (TechRepublic)

Insider risk rises with discontent, ‘talent churn’

Paul Furtado, vice president analyst at Gartner, said talent churn of cybersecurity or other talent, IT or otherwise, could constitute its own security bugbear, as it raises the specter of insider wrongdoing.

“The cybersecurity workforce is a microcosm of society and made up of individuals who respond differently to different stress triggers,” Furtado said. “For some, they will leave their employment gracefully without any disruptions.

“Others may feel that the artifacts they’ve created or contributed to are their personal intellectual property, and therefore, they take a copy. Some may feel that they want to exfiltrate some data that may assist them in their next role with a different employer.”

And then there’s the possibility — more remote perhaps — that individuals, regardless of where they are in the organization, may go beyond theft to commit acts of sabotage or disruption of systems or data.

“The reality is that security leaders must be prepared for each of these occurrences; there are numerous examples where these behaviors have occurred,” Furtado said. “The scary part: In some cases, insiders won’t wait for a layoff or resignation to start some of these behaviors.

“Preparing to manage insider risk is critical in preventing it from becoming an actual insider threat event.”

Gartner predicts that by 2025 half of medium to large enterprises will adopt programs to deal with insider risk — up from 10% today.

Taxonomy of insider threats and how to deal with them

Furtado said insider threat activities typically revolve around:

  • Phishing.
  • Misrepresentation.
  • Financial theft and other forms of embezzlement such as expenses fraud.
  • Exfiltrating or viewing unauthorized data.
  • System sabotage involving malware, ransomware, account lockouts and data deletion.

3 types of threat actors

He identifies three kinds of actors:

  • Careless users: Accidentally exposes sensitive and/or proprietary data, including errors and improper configurations.
  • Malicious users: Intentional sabotage or data theft for either personal reasons or financial gain.
  • Compromised credentials: Credentials exploited by someone outside the organization for the purpose of data theft and/or sabotage.

Insider threat attack sequence

According to Furtado, taxonomies of insider attacks show that many determined and planned exploits followed this sequence:

  1. The actor makes a genuine error and reverses it.
  2. When no consequences are experienced, the actor tests to see if the error can be repeated at will.
  3. The critical point is reached when a combination of work stressors, personal stressors and character flaws allows the actor to rationalize harmful behavior as deserved, serving a higher cause and so on.

Countering insider threats

In order to counter this risk, Furtado counsels organizations to:

  • Rule of three: Implement the “rule of three” to mitigate risk while effectively using limited security resources. Furtado said this involves deterring individuals from wanting to act in the first place, detecting the activity, and disrupting the effort.
  • Security culture: Establish an enterprise-wide culture of security by developing a formal insider risk program aligned with key areas of the organization (especially HR and legal).
  • Social and risk governance: Mitigate the insider risk by implementing behavioral technology, risk measurement and sound governance practices (Figure A).

Figure A

Rule of Three for insider threats.
Image: Gartner. Rule of Three for insider threats.

Humans: the cause and the target

Gartner predicts that by 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents due, in part, to spiking social engineering exploits and lack of data hygiene. The firm’s data also suggests, however, that employees’ perception of risk may not reflect clear and present cybersecurity dangers. If not, top-down guidance may be of little value.

Last spring, when Gartner surveyed some 1,300 employees, 69% of them said they had bypassed their organization’s cybersecurity guidance in the prior 12 months, and 74% said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective.