Being responsible for the IT security of a company is certainly not an easy job: when everything is going well, you wonder what they use it for, and when everything goes wrong, it is probably a sign that you have not succeeded. This cliché is difficult, but two studies by the Club of Experts in Digital Security and Information (CESIN) redraw the contours of this position and show that if security managers are faced with significant stress, most of them seem satisfied with your current job.
In a study published on September 15, CESIN, in association with Advens, first sought to assess the level and reasons for stress that cybersecurity managers encounter in their work.
The study consisted of interviewing 330 active members of CESIN who occupy positions of “cyber manager”, seeking to evaluate both the level of stress to which they were subjected, as well as the main factors in the origin of this stress. Through a questionnaire, the results of the respondents are then classified into three areas on a scale of 40: the green area that corresponds to a situation of minimal stress (or “positive”) between 0 and 16 points; an orange zone that reflects an “occasional” feeling of helplessness, which generates emotional disturbances between 16 and 22 points; and finally a red zone, which reflects “a strong feeling of helplessness” and risks to the physical and mental health of the person.
The RSSI, the company’s fuse?
Among the 330 respondents in the study, 130 are classified in the green zone (or 39% of the panel), 108 are in the orange zone (or 33% of the panel) and finally 92, or 28% of the respondents, they are in the red zone. The average of the barometer results, which assesses the stress level on a scale of 40, is 18.4, which the CESIN interprets as “a high collective score”, located in the orange zone.
Several reasons are mentioned to justify this level of professional stress: the managers interviewed thus first cite “the notion of adversity”, a specific characteristic of the security manager role that the study highlights: “outside the security sector. Defense, there are few professions in a company that are in this position to fight against the enemies of the company, if these adversaries are malicious people or criminal organizations ”.
The other side of this situation is the supposed instability of work, the belief that one’s professional situation is uncertain and that a major crisis can mean job loss. 54% of those surveyed believe that a major crisis could cost them their jobs, a figure less worrisome than expected, according to the study authors. For CESIN, “it is likely that cyber managers overestimate the risk of losing their job”, but this perception, nevertheless, can lead to risky behaviors and represent a stress factor. Finally, respondents also cite the complexity of the sector and its evolutionary nature, which can make the field difficult to master while remaining state-of-the-art.
However, there is good news: only 28% of respondents say they are “discouraged” by the increase in the frequency of cyberattacks, and almost the same number of respondents say they are frustrated by not being able to respond to cyberattacks that affect. Therefore, the “hackback” debate is not at the center of the concerns of the security officials questioned by CESIN.
Salary, the sinew of cyber warfare
In a second study published this week, CESIN this time focused on issues of remuneration for functions and positions related to cybersecurity. A study that focused on a panel quite similar to the first: this time, 290 professionals who were members of CESIN were surveyed through a survey conducted by Opinionway. The study tells us that the average annual salary of those surveyed is 95,800 euros, for an estimated average salary of 89,200 euros. The authors also point out that 43% of those surveyed receive a salary of more than 100,000 euros. However, the disparities are felt according to the position, the region and the size of the company: managers operating in the industrial sector thus receive an average salary estimated at 110,000 euros and, in addition, they are generally more satisfied with their records. The most stingy sector in terms of salary is the public and administrative sector, with an estimated average annual salary of 70,000 euros.
In 2017, CESIN had already published figures on the salaries of its members, which then stood at an average of 100,000 euros. The investigation then focused on 200 cybersecurity officials. The comparison shows that while we have seen an explosion of attacks over four years, median wages have not seen major changes in the sector.
The issue is not trivial: For three out of ten security managers, the prospect of a raise is the number one reason that could push them to change jobs. While 62% of those surveyed believe that their current compensation is satisfactory, 52% believe that they are not being paid enough for their commitment to the company, and 54% for their responsibility, a figure close to what is already known. had raised. the 2017 study. 83% say they are, however, satisfied with their current job, citing in particular the diversity of missions and topics to be discussed as a source of motivation.
What emerges from these two studies is the image of cybersecurity managers who find a real interest in their missions, but who do not necessarily feel that they are always recognized for their true value. Thus, the first study on stress highlighted the problems related to the image of this role in the company. Many cybersecurity officials feel misunderstood, or even considered excessive, in their recommendations. The study authors underscore the lack of perspective on these issues and recall that mindsets about the role of cybersecurity activity have evolved considerably in recent years. But, in 2015, the French Club for Information Security (Clusif) was already wondering during a round table if the person in charge of cybersecurity was condemned to “eat alone in the dining room”, suffering his eternal role of preventing the company from turning in circles. A mentality that, therefore, seems to continue six years later. Despite significant improvements and a real taste for the profession, CISOs still feel that their colleagues and managers do not understand or consider them sufficiently.