A quarter of cybersecurity leaders will leave the sector by 2025, says Gartner

Work-related stress and burnout are among the main causes for such shift

Nearly half of cybersecurity leaders will be changing jobs by 2025, with a quarter moving into completely different careers due to work-related stress, according to research institute, Gartner.

"Cybersecurity professionals are facing unsustainable levels of stress," said Deepti Gopal, director analyst at Gartner. "Chief information security officers (CISOs) are on the defence, with the only possible outcomes that they don't get hacked or they do. The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams."

Talent turnover is also especially high within cybersecurity professionals given the many market opportunities, which ultimately becomes a security threat for teams.

Gartner's research found that compliance-centric cybersecurity programmes, low executive support and subpar industry-level maturity are all indicators of an organisation that does not view security risk management as critical to business success.

Organisations of this type are likely to experience higher attrition as talent leaves for roles where their impact is felt and valued.

"Burnout and voluntary attrition are outcomes of poor organisational culture," said Gopal. "While eliminating stress is an unrealistic goal, people can manage incredibly challenging and stressful jobs in cultures where they're supported."

The impact on security

Gartner found that by 2025 the loss of talent and stress-related mistakes will be responsible for over half of significant cyber incidents - particularly as threat actors increasingly see humans as the most vulnerable point of exploitation.

A Gartner survey conducted in May and June 2022 among 1,310 employees revealed that 69 per cent of employees have bypassed their organisation's cybersecurity guidance in the past 12 months. In the survey, 74 per cent of employees said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective.

Paul Furtado, VP analyst at Gartner commented: "Friction that slows down employees and leads to insecure behaviours is a significant driver of insider risk."

Off-setting risks

According to Gartner, half of medium to large enterprises will adopt formal programmes to manage insider risks by 2025.

Focused insider risk management programmes will proactively and predictively identify behaviours that may result in the potential exfiltration of corporate assets or other damaging actions and provide corrective guidance, instead of punishment.

"CISOs must increasingly consider insider risk when developing a cybersecurity program," continued Furtado. "Traditional cybersecurity tools have limited visibility into threats that come from within."