At night, all cybercats are grey. And all the nights of IT security managers are sleepless. Exhausted, the RSSI (responsible for the security of information systems) are more than half to want to leave their job. Some for a total reconversion. On the occasion of the International Cybersecurity Forum (FIC) in Lille, a journalist from Echos wanted to take back the temperature of the profession and the observation is clear. The fever has set in in the cybersecurity sector. The consequences of these symptoms will be all the more serious.
As a symbol, the metropolis of Lille, which hosts the FIC, suffered a major cyberattack last month. Situation quite representative of what is happening across the country: despite the very high coverage of IT risks that we face, both individually and as a company, the profession is still far from be the center of attention. The risk of burnout is particularly high, behind the sequins of the government’s “cyber-shield”, or even the inauguration of the Cyber Campus.
Loneliness too great, responsibilities too high
A first study, published in November last year by Mimecast, already showed the suffering of members of the profession. Between the evolution of risks and that of mentalities, the gap has created disgust among specialists who very quickly find themselves isolated, lacking resources, misunderstood and exhausted. Unlike other positions, their responsibilities are even greater too. Sometimes they are alone to ensure the protection of boxes for more than 1000 employees.
“We do one of the few civilian jobs where we fight against risks of malicious origin. Risks that can potentially shut down the entire company”explained Jean-François Louapre, cybersecurity consultant, to the newspaper The echoes. He wants to leave the profession, like nearly half of his colleagues in France who can no longer carry the burden on their shoulders. Admission of weakness, it is within the Association of victims of cyberattacks that testimonies abound.
In addition to the risk of “take it personally”if a cyberattack were to infect their company’s IT systems, these cybersecurity managers would be at risk of “to act as a fuse”, reported Delphine Chevallier, the president of the association. A total nonsense, while it will certainly not be the responsibility of the specialist but of the lack of necessary means of the company to thwart the attacks.
Gérôme Billois, partner at Wavestone, specified that only 50% of the budget required to meet international standards to deal with cyberattacks is provided on average by French companies. Managers therefore have to make do with an empty toolkit as well as particularly low salaries. Between the United States and France, on this question, it is day and night: the best profiles are paid 800,000 euros per year across the Atlantic, against between 70,000 and 200,000 euros on the French side.
Save CISOs
During a round table, which the journalist from the Echos during the FIC in Lille, the discussions focused on possible solutions to get out of this burden. In addition to the need to release higher budgets, the need to modify the organization between CISOs and management was discussed. Objective: to raise their place rightly, to offer them something to take action without discussing. Make it a priority, too. The whole, to converge towards a “internal recognition”as mentioned by the economic newspaper.
The urgency is great while young graduates are not rushing to apply for this kind of position. Many are also motivated to pack their bags and move to other countries where cyber dangers are taken more seriously. In the meantime, the European Union, at the level of its member states, will present on April 18 a “cyber shield” to answer for its sovereignty and support SMEs that do not pay enough attention to the risks incurred.
The cyber shield is expected to cost the EU over €1 billion. It will be managed in 5 to 6 operational centers, and aims above all to improve the detection of upstream cyberattacks. Spread over the territory, the operational centers “will ensure the security of networks, based on supercomputers and AI, capable of detecting malicious behavior in a few hours”declared at the start of the FIC in Lille the European Commissioner for the Internal Market, Thierry Breton.
