Turnover in IT isn't something we hear about very often given the demand for such expertise. But it does happen and it often creates unintended consequences for the business in terms of information risks. I've got many colleagues that often jump ship in IT looking for that next gig. This is often in the name of more money but there are other factors such as lack of management support, budget cuts/layoffs, and people growing weary of being overworked. I've witnessed it firsthand. Turnover in IT – regardless of the amount – is bad for information security.
IT pros are struggling enough as it is to keep up with the daily fires that must be put out. I worked on that side of IT for years and understand that there's just never enough time in the day to get the urgent stuff done. This is especially true for those working in security roles given the burdens they're carrying, worrying about their jobs while fighting off the threats. Whether it's by choice or by force, any sort of reduction in the size of IT and security teams that leads to fewer resources is no doubt going to create more security risks, at least in the short term, and especially for businesses that don't already have a strong security program. I've also seen situations where security management processes created out of necessity in the short term can lead to long-term security risks. You know the drill – once a security process is put in place, it often stays that way, even if it's bad.
Many organizations approach this issue from the wrong perspective. Some in management assume that they can simply replace whoever leaves with someone new and they won't miss a beat. That's hardly the case as there's always a sizable time window required for new IT staff to learn the environment, figure out the politics and culture of the organization and so on. Furthermore, when people in too hurried and overwhelmed in IT, they make mistakes and often fail to see the bigger picture. I don't know of any organization that can afford to take that on.
IT turnover is real and so are its consequences. Whether you're in management and wish to ensure a smooth transition when the time comes or you're in IT and want to set your organization up for success, make sure that all of the critical areas are adequately documented and that knowledge is appropriately transferred. The last thing your business needs is for staff members to leave and you end up with a complex environment with no documentation, no passwords, and no direction. Come up with a plan to work through these things – starting this week – so that the impact of any risks that do surface during rough times are kept to a minimum.