cyber security jobs have a high turn over, but why?

UnixGuy

I noticed that the average tenure in cyber security roles in the US is 6-18 months on average (not an accurate statistic, but observational). It's a bit longer in Australia but it's still considered relatively short as well.

I'm trying to understand the reasons behind it, and could come up with a few reasons.

One, Salaries are getting higher so you will be tempted with a higher salary. I'm guilty of this, got 80% pay rise as soon as Covid hit, couldn't say no to it.

But more often than not, I found that Security folks are usually frustrated by management and the work culture and attitude towards security. Here are some things that I observed that led people to quit:

- The job isn't what they were promised:  For example they promise you that you will be detecting to and responding to threats, optimising a SOC, etc etc. The job turned out to be escalating tickets to senior responders or simply reading reports from an MSSP SOC (I've seen this scenario with my own eyes, the person quit within 2 months..)

- Security is managed by IT. There is nothing wrong with that in theory, but problems start to happen when IT decides to micromanage security. It's problematic because IT doesn't have the full context of security, IT has different priorities (i.e. availability - keeping lights on), and Security will have a hard time findings vulnerabilities and weaknesses in IT as IT has the final say (again, seen this with my own eyes, security team members started quitting one after the other..).

Can you share why Security people seem frustrated in general and why do they quit in 6-18 months??  Recruitment is expensive and I know companies would like to retain talent, specially when they cry 'talent shortage'

JDMurray

I would say that there are a lot of reasons for short-timers in Cybersecurity, and 50% of the quick departures have nothing to do with IT or security in itself. Many of the other 50% are first-timers in cybersecurity who discover that they don't like the work for one reason or another. They got into Cybersecurity because of the talk of job security and big paychecks and not for a love of the work itself. Also, people just starting in Cybersecurity usually don't pull a very large wage and are FIFO.

I've been on the same SOC team for over nine years and in two different roles (i.e., analyst and manger). Maybe a more illuminating question would be, "Why do some people stay in (cyber)security for many years?" I'll bet in many cases it comes down to random chance of suitability factors (e.g., good manager, good wages, the company has a worthwhile mission or a culture of long-time employees or a good/flexible work environment, the work is important and interesting, employee has a stable home life, etc.).

UnixGuy

@JDMurray Would you say your long tenure and the fact that you had those positive factors in place makes you an exceptions that proves the rule? or at least you are a rare case, and at large we have an issue across the industry that should be addressed ?

E Double U

My background: Been in security since 2012 in both US and NL. 2012 - 2016 in US and 2016 - present in NL. 

Regarding the US, I worked at both a telco and regional bank in a four year period and did not recognize the observations you are making. People being frustrated with mgmt, the company's work culture, and/or job not being what was expected is not a cybersecurity phenomenon. These things happen amongst many fields so trying to understand that issue in general makes more sense than trying to focus it on cyber because I do not believe you will reach a different conclusion. I also did not notice the high turnover in either company. In both teams I worked on people had been there for many years. The only reason I left both was because the telco had layoffs (got me) and the bank did not have a presence in my newfound home so no option to simply transfer available. At the bank, security initially fell under IT, but then they moved the CISO from under the CIO to be an equal. But the prior situation didn't have any noticeable issues for us. 

Note: my US experience was based in Southern California. Maybe other regions/states were different. 

Regarding NL, there are a lot more people coming in and going from my employer, but that is not just cybersecurity. The contract system here is the biggest factor from what I can see. Lots of externals that can only stay for so long. In the case of internals, there is a system where you have to get a permanent contract to remain. If mgmt does not deem you fit for one then you have to find employment elsewhere. Besides that, I see internals moving on for new opportunities and higher salaries instead of leaving over frustration. I have been with the same company for over five years across four departments in five different roles. Each move for me was simply taking advantage of a new opportunity. Never moved out of frustration. 

UnixGuy

Fair enough, looks like people have different experiences. I did move to higher paying roles so moving was sometimes was out of temptation

E Double U

I have also moved twice during the pandemic out of temptation 

UnixGuy

But you managed to do it with the same employer? I never seem to have opportunities within the same company , could be that I'm not good at negotiating those!

Anyway, always interesting to hear peoples experience. I do hear a common complain from companies that "cyber people like to move every 18 months"

E Double U

Yes there are so many opportunities within my current employer which is why I enjoy it so much. We have over 100k employees globally so plenty of room to move around.

JDMurray

UnixGuy said:

@JDMurray Would you say your long tenure and the fact that you had those positive factors in place makes you an exceptions that proves the rule? or at least you are a rare case, and at large we have an issue across the industry that should be addressed ?

My employer is very large (100K+ employees) and global, although 97% of employees are in the USA. Organizations of this size are like 100's of smaller organizations (i.e., departments) under one roof and it can be easy to change job roles while staying with the same employer for many years. Some departments are great places to work and others are marginal to terrible. The reasons for the wide range of work quality experiences is usually due to people's personalities and politics, the business' processes, and budgets. Work experience reviews of large organizations, on sites like Glassdoor, mostly describe what it is like to work in a specific department and not for the company itself. Only in a very small business can an employee know what it's like to work "at the entire company."

What you need is a survey of why cybersecurity people soon left a cybersecurity role and note how many did so specifically because of the cybersecurity profession itself. In my experience, most people leave a short-time position for reasons typical of any type of job (e.g., bad manager, bad pay/better pay elsewhere, effort of commute, job wasn't what I thought it would be, involuntary termination due to employer layoff, etc.). And as I said, looking at why people stay in a job for many years will give you some insight from the other side of the coin too.

TechGromit

Were I work, it's all compliance based, it's less about actual security and more about the process of checking boxes that these logs have been checked, anomalies identified and cleared as not malicious. The repetition does get old after awhile and challenges are few and far between, unless doing a project.  I can certainly see why some people quit for something more challenging, but face it a lot of IT is groundhog day every day, 90% of the time it's the same clueless users calling for IT support. Same unrealistic deadlines and being on call like you have no life outside of work. If you been in IT for any length of time, you get used to it. For the education required you really can't beat the salaries vs most other industries.  They pay me well and can't beat the benefits and experience has taught me that the grass isn't really all that greener elsewhere. When you find a good company pays well and treats there employees good, you be a fool to jump ship for a few thousand dollars more in my opinion.