There are many reasons why IT professionals can be fired, but six out of the top nine are related to security, said a survey released this morning.
For example, having a tech investment that leads to a security breach was considered a fireable offense by 39 percent of organizations, according to Osterman Research, which conducted the survey.
A data breach that becomes public was a fireable offense for 38 percent of companies.
Other fireable offenses included failing to modernize a security program, data breaches with unknown causes, data breaches that do not become public, and the failure of a security product or program investment.
Failing to meet regulatory compliance and getting a large fine or penalty, was the top offense, with 68 percent of organizations considering it reason for dismissal.
Some of this may not, strictly speaking, be the employee's fault. If a very dedicated attacker, such as a foreign country, is committed to getting the data, there's very little that an organization can do to stop them.
Or the problem could have been caused by the lack of a budget for, say, penetration testing.
According to the report, 24 percent of respondents said that there was "always" or "often" a disagreement between IT security and the C-suite about budgeting and staffing issues. Another 46 percent said that there were problems "sometimes."
But at the end of the day, if there's a big problem, someone is going to have to be held accountable.
"This is why the CSO position is such a hot seat," said Chris Schueler, senior vice president of managed security services at Trustwave Holdings, the company that sponsored the report. "Because the bucks stop there."
Other times, the problem may well have been avoidable. For example, he said, he's seen cases where staffers created back doors into databases, circumventing security controls, to make their lives easier.
And when employees took their work laptops home and let their kids play on them, visit dangerous sites, and download malware that then infected corporate networks.
"Those are real use cases," he said. "I've seen those occur many times."
But while enterprises may consider these issues to be fireable offenses, they may be reluctant to actually go and fire people because of the current labor market.
"If you get rid of a person, well, guess what, now I've got some huge chasm I have to fill," he said. "And it might take me months to find a qualified person. You ask yourself, do I really want to fire them? How bad is this person, really?"
People with rare or mission-critical security skills may feel that they are untouchable, despite whatever issues they might have on their jobs.
"I lived this and I see it with customers," said Schueler. "I talk to CSOs, I talk to all their security teams, and you witness it. We are like, 'Wow, I can't believe you still have that person around, they're horrible'."
The lack of talent also increases the likelihood of security breaches, simply because there aren't enough people around to monitor and respond to incidents.