A new research report has found that in 2021, senior IT/security executives and C-level executives were about half as likely to be terminated following a data breach incident than just three years ago.
According to a study by Kaspersky, only 7% of surveyed organizations that experienced a breach incident in 2021 fired senior IT staffers, compared with 12% in 2018. Likewise, only 8% fired senior security officials due to a breach in 2021, compared with 14% in 2018. And C-level business executives were let go after a serious security incident only 4% of the time, instead of 7% in 2018.
The only bad news came for employees with functional non-IT, IT and security roles. In these categories, the percentage of firings held steady or went very slightly up.
Is that perhaps an indication that business leaders and boards of directors are starting to understand that not all network incursions are preventable, and not all breaches are indicative of poor security management?
Maybe, maybe not. In its report, Kaspersky theorized that the decline in firings is likely because the demand for IT and cybersecurity specialists is sky high as organizations face a challenging cybersecurity environment and growing IT complexity. And with the job market strongly favoring skilled employees with experience, it may just be that companies can’t afford to let their IT/security executives go, even if their track records have a few blemishes.
“The demand for retaining and nurturing expertise is seen, for example, in budget planning,” states a press released linked to the report. “38% of enterprises report the need to improve the level of specialist security expertise as the top reason to increase their IT security budget.”
Mark Aiello, president of infosec jobs marketplace CyberSN, told SC Media that it’s probably a mix of both factors — the desperate need to hang onto talent, but also a better appreciation for the nuances and impossible challenges of specialized IT/security jobs.
“A breach today no longer automatically means someone is getting fired. Identifying a scapegoat is no longer mandatory,” said Aiello. “In many cases, it never makes the news. Two infamous breaches, Target and TJX, are not in the top 15 of all time.”
Additionally, “the labor market for cyber professionals is so tight that companies no longer knee-jerk to termination when there is a breach. They are much more likely to take into consideration the chances of being able to replace the employee combined with their culpability before deciding if termination is warranted.”
Robert Ackerman, founder and managing director of cybersecurity venture capital firm AllegisCyber, co-founder cyber foundry, DataTribe, and chairman of the Global Cyber Innovation Summit, said that organizations have come to realize that, from a personnel perspective, “change is not the solution… so long as management [still] has confidence in the CISO leadership." On the other hand, “better skills, resources, policies and procedures” are the solution to security lapses.
"The growing frequency of cyberattacks has normalized the reality that breaches run hand in hand with the digital economy,” said Ackerman. “While the CISO — their skills, expertise and resources — are on the front lines in defending against these attacks, there are no magic bullets, no foolproof defense. This growing reality is reflected in the data. If a CISO loses management’s confidence, a failure will lead to a change in that role. At the same time, there is an understanding of how tough the role is and that everyone organization will eventually be compromised.”
For those less enlightened companies that still expect perfection from the security department, it’s important that security professionals know how to “talk to the business to get them to understand” the role of the IT/security department and how its initiatives align with business objectives, said Candy Alexander, president of the International Systems Security Association (ISSA International), and CISO and security practice lead at NeuEon.
“Case in point: one could state that breaches happen because proper safeguards aren’t put into place due to the lack of resources,” said Alexander. “Many cybersecurity professional do not always receive what they request for resources because there is a misalignment, or even perceived misalignment with the business. … That is, unless the cybersecurity group can position how the extra resources will support the revenue generation and protect the company.”
“It’s a conversation that we, as cybersecurity professionals, need to get better at. And because we don’t align with the business in those terms, we are seen as a cost center and that we are not doing our job — even though we may not have the tools available to do our jobs effectively,” Alexander continued. “We need to learn how to … say how cybersecurity is actually contributing to the bottom line — in business terms. Until then, I’m sorry to say, we will run the chance of being fired.”