Effort Gain Estimation and Turnover Costs in Cyber Security
As each day passes, new threats in the realm of cyber security continue to emerge, making it a crucial topic for any enterprise. Despite the existence of several cyber security technologies and the promise of new ones on the horizon, there is a shortage of skilled cyber security professionals in the world to effectively implement and utilize these solutions. Hence, the need for automation in cyber security is becoming increasingly important with each passing day. This trend is driven by the desire to streamline operational activities such as network security policy changes and achieve greater efficiency.
An enterprise customer has a valid expectation to leverage the benefits of automation for other security-related activities, rather than focusing solely on the upkeep of the automation solution itself. Therefore, it makes sense to opt for an automation solution that is both user-friendly and easy to maintain, allowing the gained effort to be directed towards the actual security topics that require attention.
This also holds true for network security policy management. If you were to utilize a solution for this purpose, what kind of effort gain would you anticipate? Here is an estimation for three scenarios:
Effort gain for each scenario based on the assumption that implementing a network security policy management system and automating firewall policy changes will result in a reduction of manual effort required for policy management tasks. However, the actual effort gain will depend on various factors such as the complexity of the environment, the current level of automation, and the specific tools and processes used.
Scenario 1: High number of policy change requests
If the customer has a high number of policy change requests, it is likely that they have a complex network environment with multiple applications and services. In this scenario, implementing a network security policy management system and automating firewall policy changes can result in a significant reduction in manual effort required to process these requests. Specifically, the effort gain can range from 50-70% depending on the level of automation and the effectiveness of the policy management system.
Scenario 2: Lower number of requests but high number of firewalls
If the customer has a lower number of policy change requests but a high number of firewalls, it is likely that they have a distributed network environment with multiple locations or data centers. In this scenario, implementing a network security policy management system and automating firewall policy changes can result in a significant reduction in manual effort required to manage these firewalls. Specifically, the effort gain can range from 40-60% depending on the level of automation and the effectiveness of the policy management system.
Scenario 3: Low number of firewalls and requests
If the customer has a low number of firewalls and requests, the potential for effort gain may be lower than in the previous scenarios. However, even in this case, implementing a network security policy management system and automating firewall policy changes can still result in a reduction in manual effort required for policy management tasks. The effort gain can range from 20-40% depending on the level of automation and the effectiveness of the policy management system.
That’s great by automation the gained effort would reach to 70 %. However, it is not the just about gaining effort. Cyber security people do not prefer working on operational activities like firewall policy changes or analysis, so if this is the issue it may be one of the reasons of turnover. What about the cost of these turnover situations?
There are several studies and reports that have looked into the costs of employee turnover in cybersecurity roles. While there is no one-size-fits-all answer, the general consensus is that turnover in cybersecurity can be costly for organizations, especially if they lose experienced and skilled employees.
According to a report by (ISC)², a global non-profit organization that specializes in cybersecurity education and certification, organizations can spend an average of $145,000 to replace a cybersecurity professional. This includes recruitment costs, training expenses, and lost productivity during the transition period.
Another study by the Ponemon Institute estimates that the cost of employee turnover in cybersecurity can be as high as $3.5 million per year for large organizations. This figure takes into account the direct costs of recruiting, hiring, and training new employees, as well as the indirect costs of lost productivity and reduced morale among remaining staff.
The Society for Human Resource Management (SHRM) has also conducted studies on the cost of employee turnover, including in the cybersecurity field. According to SHRM’s 2019 Human Capital Benchmarking Report, the average cost per hire for a cybersecurity professional was $11,514, which includes recruitment costs such as advertising, sourcing, and screening candidates, as well as the time spent by HR and hiring managers to fill the role.
Additionally, SHRM’s 2019 Employee Benefits Report found that offering competitive salaries and benefits is a key factor in retaining employees, including those in the cybersecurity field. The report notes that organizations that provide above-average benefits, such as healthcare and retirement plans, are more likely to retain their employees than those that provide below-average benefits.
According to another study by the Society for Human Resource Management, regardless of cyber security the average cost of turnover can range anywhere from 30-50% of an employee’s annual salary. For example, if an employee earns $50,000 per year, the cost of turnover could be anywhere from $15,000 to $25,000.
It’s important to note that the cost of turnover includes both direct and indirect costs, such as the cost of recruiting and training a replacement, lost productivity, and the impact on morale for remaining employees. Some estimates put the direct cost of replacing an employee at 1.5 to 2 times their annual salary, with indirect costs adding another 50-70% of their annual salary.
Turnover in cybersecurity roles can also have other implications for an organization’s security posture. For example, when experienced staff leave, they take their knowledge and expertise with them, which can result in a loss of institutional memory and potentially leave the organization vulnerable to cyber-attacks.
Overall, the cost of turnover for cybersecurity engineers can be significant and organizations should take steps to retain their skilled employees, such as offering competitive salaries, professional development opportunities, a positive work environment and surely eliminate operational activities from their daily routines.