By 2025, nearly half of the cybersecurity leaders will change jobs, 25% for different roles entirely due to multiple work-related stressors, according to Gartner.

“Cybersecurity professionals are facing unsustainable levels of stress,” says Deepti Gopal, Director Analyst Gartner. "CISOs are on the defence, with the only possible outcomes that they don't get hacked or they do. The psychological impact directly affects decision quality and the performance of cybersecurity leaders and their teams."

Given these dynamics and the massive market opportunities for cybersecurity professionals, talent churn poses a significant threat to security teams. Gartner research shows that compliance-centric cybersecurity programs, low executive support and subpar industry-level maturity are all indicators of an organisation that does not view security risk management as critical to business success. As a result, organisations of this type will likely experience higher attrition as talent leaves for roles where their impact is felt and valued.

The research is detailed in Gartner’s report titled, Predicts 2023: Cybersecurity Industry Focuses on the Human Deal. It provides actionable, objective insight to CIOs and IT leaders to help them drive their organisations through digital transformation and lead business growth.

“Burnout and voluntary attrition are outcomes of poor organisational culture,” adds Gopal. “While eliminating stress is an unrealistic goal, people can manage incredibly challenging and stressful jobs in cultures where they’re supported.”

Gartner predicts that by 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents. In addition, the number of cyber and social engineering attacks against people is spiking as threat actors increasingly see humans as the most vulnerable point of exploitation.

A Gartner survey conducted in May and June 2022 among 1,310 employees revealed that 69% had bypassed their organisation's cybersecurity guidance in the past 12 months. In the survey, 74% of employees said they would bypass cybersecurity guidance if it helped them or their team achieve a business objective.

“Friction that slows down employees and leads to insecure behaviour is a significant driver of insider risk,” notes Paul Furtado, Vice President Analyst, Gartner.

To confront this rising threat, Gartner predicts that half of the medium to large enterprises will adopt formal programs to manage insider risk by 2025, up from 10% today. A focused insider risk management program should proactively and predictively identify behaviours that may result in the potential exfiltration of corporate assets or other damaging actions and provide corrective guidance, not punishment.

“CISOs must increasingly consider insider risk when developing a cybersecurity program,” adds Furtado. “Traditional cybersecurity tools have limited visibility into threats that come from within.”

Gartner analysts will present the latest research and advice for security and risk management leaders at the Gartner security and risk management summits, February 27-28 in Dubai, March 28-29 in Sydney, June 5-7 in National Harbor, MD, July 26-28 in Tokyo and September 26-28 in London.