State of the DevSecOps Professional: At Work and off the Clock

Developers and security professionals believe they save their organizations millions of dollars every year by preventing potential attacks. But when asked about stress and anxiety levels, these groups signal trouble. With the ongoing talent shortage and “Great Resignation” taking place in IT, the impacts of time-strapped and stretched teams negatively affect work-life balance and mental health, ultimately influencing security posture. Something’s gotta give. 

Although cybersecurity professionals feel more appreciated by their colleagues than ever before, a lack of proper leadership support, strategic processes, and tooling for modern security needs will send them looking for greener pastures. In the race to a hybrid remote work environment, leveraging existing skills, closing critical knowledge gaps, implementing capable tooling, and filling open seats are all necessary steps to keeping your software secure – and your development and cybersecurity pros happy. 

Data shows us teams are still stressed and that stress impacts personal life

To gain deeper insight into current trends in the cybersecurity workforce, we partnered with Wakefield Research to survey 500 security professionals and software developers at companies in the United States with 2,000 or more employees. 

The insight we were able to obtain from our surveys provide a window into how cybersecurity teams are managing stressors and what they think of their roles within their organizations. Gathered at the Director level or higher, the data tells a story of constant disruptions to the work-life balance for those leading the charge on software security. Let’s break down some of the numbers:

• 4+ hours each day are lost to DevSecOps issues that could have otherwise been prevented with best practices and modern tools. In fact, 41% of cybersecurity professionals spend 5+ hours addressing security issues compared to 32% of developers. 
• 81% of respondents say 4:59 PM has “magical power” to increase trouble tickets at the end of the day and cause more anxiety.
• 1 in 3 employees have blown off dates with a significant other or a night out with friends because of security issues at work, with 41% of developers blowing off a night out compared to 34% of their cybersecurity counterparts.
• 50% say they’ve had to log in over the weekend or on their own time to manage an issue.

These numbers paint a disheartening picture; more than 1 in 3 leaders in security and development have managed cybersecurity issues amidst a holiday meal with family or during downtime at home. And they’re often our unsung superheroes, too: over half of cybersecurity and development professionals said they’ve fixed a potentially disastrous problem on their own that no one knew about. 

Vulnerability anxiety is intense and shows up fast when new flaws are discovered

When a potential vulnerability comes knocking, so does anxiety. A whopping 81% of developers and security professionals are more than a little anxious about the next vulnerability:

• Always: 12%
• Immediately after discovery: 35%
• Within 24 hours of discovery: 34%

Working in gray areas compounds the anxiety, which means cybersecurity professionals may feel unsure about where they stand ethically. We were curious how often the pressures of working like a hacker play into this, so we asked where they believe they fall within that ethical spectrum. More than half (54%) feel they have operated between malicious hacking and ethical hacking at work – likely due to stretched teams that need to act fast and prevent potential issues without going through the proper channels. Working in a cycle contributes to mounting pressure for improved security posture when a new vulnerability pops up. 

The bright side: DevSec relationships are improving

Even with anxiety on a constant rise, relationships between security and development are on the mend. In this survey, we found that 49% of respondents think they’re “besties” with their counterparts, while only 28% say they’re “frenemies.” That’s up 14% from the Fall Edition of the Invicti AppSec Indicator, where 35% of respondents noted that they’re “besties” with security and development counterparts. 

Overworked and underappreciated teams are leading to burnout and turnover

If you want to keep skilled cybersecurity professionals and innovative developers in their seats, getting a handle on the stress factor that can come from subpar security is key. According to a study by the Information Systems Audit and Control Association (ISACA), 66% of organizations are having trouble retaining cybersecurity talent today. 

Appreciation and motivation are two significant drivers of staying power. Cybersecurity professionals take pride in their work, especially when it’s noticed by team members. In our data, we found that 79% feel more appreciated than annoyed by their colleagues, and an overwhelming 85% agree the most unsettling days are when nobody needs them to fix anything at all. When it comes to combating that anxiety, a healthy balance between full-coverage security, innovation, and less stress is achievable with the right approach to application security – and motivation for talented team members. 

Security and development professionals know their worth

According to data from IBM, the average cost of a data breach in 2021 was $4.24 million. In our research, we found that 65% of respondents believe they’ve saved their organizations over $1 million this year by preventing cybersecurity breaches and potential exploits. Individual developers estimate they’ve saved their companies a median of $2.4 million this year in cybersecurity incidents, while their security counterparts estimate that number to be around $5 million. That’s a median of $3.2M saved this year. 

And despite digital transformation whiplash, cybersecurity pros are proud of their work. 88% “strongly” or “somewhat” agree that they’d put ‘cybersecurity expert’ in their online dating profiles, while 94% say that digital transformation and the move to a remote work model in recent years have made their role more valuable and rewarding. 

The impact of overworked teams and the IT talent shortage is undeniable

The data tells a strong story that – at work and off the clock – DevSecOps professionals are feeling overworked and stressed. The turnover we see throughout cybersecurity isn’t going to improve without meaningful steps. The good news: as relationships between developers and security professionals are on the mend, most organizations have the foundation in place to reduce IT churn, boost cybersecurity posture, and improve morale. 

So how do we get there? Security is everyone’s job now, yet many organizations still aren’t embracing holistic programs or simply opting for solutions that alleviate common problems. Ultimately, that means teams are left in a lurch of unnecessary manual work that contributes to this low morale. When leadership brings robust security solutions to the table with integrations, automation, and accuracy as value drivers, they’ll make the lives of their cybersecurity professionals easier so everyone can refocus on innovation.