Cybersecurity professionals enjoy their roles and recognize the impact of greater diversity, but the potential for downsizing can undermine morale.

The cybersecurity workforce is a positive place to be. A key takeaway from our annual Cybersecurity Workforce Study is that the majority of respondents remain happy about their level of job satisfaction. Yet, the profession is not immune from the impact of wider economic pressures. Despite being a highly robust profession with a strong ratio of demand to workforce, 2023 recorded the first, albeit small, drop in cybersecurity job satisfaction in the face of cost of living and inflation pressures, along with concerns over downsizing.

Alongside this, the significance of corporate culture was also underscored by the fact that those organizations which focused on diversity, equity and inclusion initiatives generally had more effective and content workforces.

How Cybersecurity Employees Perceive the Workplace

We introduced employee experience (EX) as a measurement in 2022 in a bid to understand cybersecurity professionals’ overall satisfaction and work experience. The measure covers issues like engagement, burnout rates, and fair evaluation, amongst others.

The figures showed that the average numbers of cybersecurity professionals reporting “high” and “medium” experience slipped slightly between 2022 and 2023, from 32.6% to 31.3%, and 35.6% to 31.8% respectively. This means that 36.9% of workers reported a “low” level of employee experience, an uptick from 31.7% a year ago.

Nonetheless, overall job satisfaction remains high, with 70% of workers saying they are very or somewhat satisfied in their roles, this remains a substantial majority recognizing that their workplace is positive, with only a four-point slip on the previous year. Meanwhile, 12% were somewhat dissatisfied, with 4% very dissatisfied.

Workers were generally very happy with their work, their immediate colleagues, and wider cybersecurity and technology organizations – though not quite as happy as a year ago before the effects of geopolitical and economic disruption relating to the Ukraine conflict and elsewhere had yet to be fully realized.

The Happiness Gap

Cybersecurity is not completely insulated from the effects of broader economic turmoil, despite being arguably far more resilient than most due to its extensive global and regional skills supply and demand imbalance. Regardless of profession, economic pressures tend to have a direct impact on morale. Workers in organizations that have had layoffs in 2023 had an average EX rating of 46, compared to 55.5 in organizations that had not seen layoffs.

Uncertainty might be considered part and parcel of the cybersecurity world, where threats and challenges change every daily or more often, but it seems the prospect of layoffs impact morale more than the actuality. Workers who expect layoffs in their cybersecurity organization in the year ahead expressed EX ratings of just 38.9 on average, while those in orgs not expecting layoffs showed the highest EX rate, at 59.5. Over two thirds of those who had experienced cutbacks reported that the action had significantly hurt team morale.

Over 70% said cutbacks would mean increased workloads. Almost a third of respondents said “too many emails/tasks” was the biggest factor impacting their job satisfaction. It was closely followed by “overwork due to staff or skill shortages”, with a quarter of respondents citing the fact their team had “inadequate resources to sufficiently protect the company”.

Again, the effect was more pronounced in organizations with staff shortages and skills gaps. As our report showed elsewhere, skills shortages present a bigger problem than people shortages, as the former can leave gaps that can’t always be covered simply by redeploying existing team members from elsewhere in the organization.

The report concluded “the thing that really hurts worker morale is a lack of support and respect from the organization” with the most negatively impactful issue being “my employer does not value or listen to my work”, associated with a 36.9 EX average rating, echoing the finding in last year’s report.

It is a reflection of how organizational culture plays an important role in job satisfaction, and by implication the effectiveness of a security team.

Strength in Diversity

An organization’s approach to diversity, equity and inclusion is an important contributor to boosting and maintaining a cybersecurity team’s morale. It has a direct link to its effectiveness. The study showed positive change, that the cybersecurity workforce is becoming more diverse, though this is happening faster across race/ethnicity than it is around gender. In the US, Canada, Ireland, and the U.K., 70% of cybersecurity workers over 60 were white men. In the under 30 range, the figure was 37%. Two thirds of new entrants in those countries were non-white.

However, women represent just over a quarter of the entire respondent base under 30, with 18% of respondents under 30 being non-white women.

There is a practical element to this. Almost 70% of cybersecurity professionals reported that an inclusive environment was important for their team to succeed, while just over half said diversity within the security team had contributed to the team’s success.

At the same time, just over a quarter (27%) said their company was not doing enough to address DEI issues, and a fifth said they felt discriminated against within their workplace. This was countered by positive responses, with over half (51%) acknowledging the importance of DEI for their security team, and a similar majority (53%) acknowledge DEI for being a success factor for the cybersecurity team.

The uptake of DEI measures remains modest, with less than half (46%) of respondents saying their organizations had DEI training, and almost one in ten saying their organizations have no DEI initiatives at all.

However, there was one DEI initiative that had a clear impact on cybersecurity effectiveness. Skills-based hiring was mentioned as a DEI initiative by 40% of respondents. This delivered clear benefits, for example in terms of recruiting women into cybersecurity roles.

Moreover, together with the introduction of job descriptions that refer to DEI programs, this meant that respondents were more likely to agree that their organization had “the tools and people they need to ensure the organization is prepared to respond to cyber incidents over the next two to three years.”

What Does This Mean for Members?

It’s important then for members, be they team members or management, to recognize that culture and diversity issues have a real positive bearing on a cybersecurity team’s effectiveness, and by implication on the security of the organization, when in place.

In a time of economic and geopolitical uncertainty, positive DEI practices can help teams and organizations. Embracing a far broader talent pool is critical in ensuring that you have the right balance of skills needed to operate effectively during difficult and unpredictable situations. Doing so can bring in new approaches to problem solving, understanding of different markets and cultures, and provide the business with a wider-reaching and multi-layered view of the environment, the challenges, the motivations and how best to combat them.

In addition, the long-term effects are exceedingly valuable. A workplace where all cybersecurity professionals feel comfortable keeps workers happy, ensures productivity is high and reduces staff churn. In most cases, it costs far less financially and in terms of disruption to retain someone than to recruit a replacement.

The upshot is that the report advises organizations to “listen to your staff – don’t work against them. A workplace where all cyber security professionals feel comfortable keeps workers happy, productivity high and attrition low.”

  • The full report for 2023 can be downloaded at https://www.isc2.org/research, along with the Cybersecurity Workforce Study reports from previous years for further comparison.
  • A preview session on the Cybersecurity Workforce Study findings took place at ISC2 Security Congress in October 2023. This is now available for on-demand replay at https://events.isc2.org/
  • Join the conversation – let us know your thoughts on the findings over in the ISC2 Community