According to the Terranova Security report, "51% of cyber security professionals experienced extreme stress or burnout, 65% have considered leaving their job because of stress, and 73% of workers have resigned."
Professionals in the field of cybersecurity frequently work in highly uncertain environments and are under increasing pressure to keep the ship afloat.
I decided to write about some of the problems I've noticed in many large corporations.
Abandoned IT projects and network systems
Semi-functional websites and APIs, for example, are common occurrences within internal and sometimes external networks. Even major financial institutions use network equipment that is severely out-of-date and barely functional. Many of the devices never get updated, even though they have serious security vulnerabilities.
Lack of documentation
Applications and systems in production are expected to have some level of documentation in order to understand their function and keep them up-to-date. In reality, we frequently encounter cases where documentation is either missing, poorly written, or out of date.
Excessive burden on employees
Attackers frequently target a company's developers or system administrators because they have high-privilege access to systems. In order to save their reputation after a data breach or incident, many businesses are quick to blame the employee who fell for the phishing attack. However, improper access controls and monitoring system failures are more to blame.
Unrealistic expectations for InfoSec teams
For example, when performing web pentest assessments, the infosec team frequently has limited time to evaluate the systems under consideration. Application owners who do not understand the nature of these assessments frequently try to persuade pentesters to circumvent existing security controls such as Web application firewalls (WAF). While this is perfectly acceptable when the goal is to assess such security controls, it is not the case when the goal is to test the web application's security posture.
I believe the scenarios I've described are very common, and many cybersecurity professionals who want to reduce risk in their organizations frequently feel like they're fighting an uphill battle. With the proliferation of ransomware attacks and other data breaches, businesses need to shift their strategy and deliberately work to improve the conditions of their security teams.