Cybersecurity: a profession on the verge of burnout

Phishing, exploitation of a loophole, scam to the president… The more the cyberattacks multiply (with nearly one in two French companies affected in 2022 ), the more information systems security managers (CISOs) feel the pressure on their shoulders.

“We do one of the few civilian jobs where we fight against risks of malicious origin. Risks that can potentially bring the entire company to a standstill”, says Jean-François Louapre, cybersecurity consultant and “CISO in transition”. Invited to share his experience during a round table at the International Cybersecurity Forum (FIC), which was held last week in Lille, the latter does not hide having “burned out” a few years ago. And he is far from the only one.

About 60% of cybersecurity managers say they experience “high stress” on a daily basis, even stress “with risk of burnout at work” for 28% of them, according to a survey published in 2021 by CESIN, the association representing the profession. Often on call 24 hours a day, most live in fear of missing “this weak signal which would be the sign of a real incident” and never leave this posture of “guardian of the temple”, notes Stefan Thibault, cybersecurity director at PwC.

Worse, when the attack ends up happening, they “take it personally” and know that they can “serve as a fuse”, points out Delphine Chevallier, president of the Association for the Support of Victims of Cyberattacks. ” Generally, companies are not organized to manage such a crisis and, for example, organize a rotation of staff during the weeks when the computer systems are blocked”, regrets Stefan Thibault.

“The CISO cannot be the bulletproof vest of the company”

Result, nearly half of security managers are expected to change jobs by 2025, with 25% for completely different roles, due to stressors, anticipates a recent Gartner analysis. The average seniority of a “CISO” (as they are also called in English) is only 26 months, according to a Nominet report.

“We have to make them more resilient, teach them to manage their stress, suggests Jeroen Schipper, CISO at the town hall of The Hague. If you’re thinking all night about cybercriminals trying to break into your network, you’re doing the wrong job,” he says. Human resources also have their role to play, for example by knowing how to withdraw the manager when he finds himself in a period of personal fragility.

But this strategy has its limits. “The RSSI cannot be the bulletproof vest of the company”, laments Benjamin Leroux, marketing director at Advens and ex-RSSI. Because, as often, these psychosocial risks are only the symptom of a global dysfunction. In this case, the security manager must achieve high objectives with a limited budget.

“With the money provided in the budgets, French companies can only provide 50% of the work compared to the required international standards”, indicates Gérôme Billois, partner at Wavestone and specialist in the subject. Cynically, some CISOs begin to hope for a crisis “to show what they are for and negotiate the budget”. From 6%, the cyber budget increases to approximately 15% of the company’s budget the year after an attack.

CISOs often struggle on their own. “We will have one person for 1,200 employees in large companies. And in the smaller ones, there is often nobody. Only someone in charge of IT,” adds the expert. The shortage of talent in the tech sector is not helping matters. ” About 15,000 people are missing in digital in France,” recalls Paul Pastor, cybersecurity delegate at Numeum, a trade union for the digital industry, whose battle horse is in particular the feminization of the profession. “The profession is struggling to make people dream. What excites young people is to play the hacker, to do the intrusion test. The defensive side – the Blue Team – is more frustrating”, analyzes Stefan Thibault.

An “internal recognition” work is to be carried out

Internally either, the CISO does not dream. “As they say, a CISO is easy to recognize, he’s the one who eats alone in the canteen…”, half-jokes Benjamin Leroux. Still seen as a “hinderer of going around in circles” who “speaks a strange computer language” and “prevents going to TikTok”, the security manager is sometimes also a pebble in the manager’s shoe, noticed Clara Le Gros , CISO at Natixis: “In a company with financial objectives, our requests do not necessarily seem to be the priority. »

A work of “internal recognition” is to be carried out by the companies. “He can’t carry the risk on his own. He should be just below the CEO and his measures should not be questionable”, agree the participants of the round table. A promotion that would be accompanied by a salary increase, able to attract new talent? In France, according to Gérôme Billois, the annual remuneration is around 70,000 to 200,000 euros, against around 800,000 euros in the Anglo-Saxon world for the most prominent positions.