The Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) revealed trending data finding that the cybersecurity skills shortage is worsening and becoming a rapidly widening business problem.
The majority of survey respondents (70 percent) continue to believe that the cybersecurity skills shortage has had an impact on their organization - yet these same organizations (62 percent, up almost 10 percent from last year) are falling behind in providing an adequate level of training for their cybersecurity professionals.
Further, the report confirms that the cybersecurity skills shortage is exacerbating the number of data breaches: Forty-five percent of organizations experienced at least one security event over the past two years, and 91 percent of survey respondents believe most organizations are vulnerable to a significant cyber-attack or data breach. The cybersecurity skills shortage represents the top two contributing factors to these security events, with the first being a lack of adequate training of non-technical employees (31 percent) and the second being a lack of adequate cybersecurity staff (22 percent). These are followed by business executive management making cybersecurity a low priority (20 percent).
Additionally, there continues to be acute shortages in key areas with little improvement from last year. Thirty-one percent (31 percent) of respondents point to a shortage of security analysis & investigations skills, 31 percent indicate a shortage of application security skills, and 29 percent claim a shortage of cloud computing security skills.
ISSA and ESG believe that this study offers a warning to organizations, who are trying to defend against increasing threats and regulatory demands, with a cyber security team that is understaffed and lacking advanced skills.
“The cybersecurity skills shortage represents an existential threat to our national security and this year-over-year comparison data bears out this fact. We are not making progress, cybersecurity professionals can’t scale, and the implications of the skills shortage are becoming more pervasive and ominous. It is clear that the solution must be about more than filling jobs. It is about creating an environment from the top down of cybersecurity as a priority,” said Jon Oltsik, Senior Principal Analyst at the Enterprise Strategy Group (ESG) and the author of the report.
“The Life and Times of Cyber Security Professionals” report explores more than 45 questions to better understand the staffing and skills shortage and identify impacts to business, IT and the threat landscape.
“While there are many studies on the cybersecurity workforce gap, this is the only one to identify and go after the root cause of the deepening cybersecurity skills gap and provide actionable steps that every organization can take. The findings are clear that, while organizations have been investing in new cybersecurity technology, they are not investing enough in their people. We, as a profession, need to help business understand the cyber security skills investment vs. risk tradeoff,” said Candy Alexander, member of the ISSA International Board of Directors and Chief Architect of the ISSA Cyber Security Career Lifecycle.
Top Five Cybersecurity Investment Mistakes and Fixes for Business:
1. Not Aligning Cybersecurity and Business Goals: Respondents suggest the number one most beneficial action organizations can take is adding goals and metrics to IT and business managers (43 percent) and vice versa.
2. Not Building Repeatable Processes: Survey respondents say one of the top two cybersecurity challenges is too many manual and informal processes for cybersecurity (28 percent). They suggest that the number two most beneficial action organizations can take is to document and formalize all cybersecurity processes (41 percent).
3. Not Investing in Training: Although companies are increasing their cybersecurity spend, especially in technology, they are investing in the wrong places. Survey respondents suggest that three of the most beneficial actions organizations can take are investing in more training and education at all levels, from non-technical employees and IT and cybersecurity teams to executive management.
4. Not Providing the Right Training: Survey respondents by far look to specific training courses (76 percent) and professional development organizations (71 percent) to build knowledge, skills and abilities (KSAs), rather than security certifications. Organizations can also employ more sophisticated and continuous training, such as “just-in-time” online training, and focus on specific skills including application and cloud security. And map these into training plans for overall career path development.
5. Not Assuming a Perpetual Skills Shortage in Future Planning and Strategy: Survey respondents say the number one cybersecurity challenge is the cybersecurity staff being understaffed for the size of their organization (29 percent). With no end in sight on this issue, organizations can create aggressive programs for recruiting talent from IT teams, especially IT operations and networking technology experience, as well as from business to bridge the cyber/business gap.