Research from the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) finds that the cyber security skills is worsening and becoming a rapidly widening business problem.
Source: Rawpixel / iStock / Getty
Findings are based on the lifecycle of cyber security professionals’ careers and their opinions about their organizations’ cyber security practices, as well as the overall state of cyber security. The survey includes responses from more than 340 information security professionals, representing organizations of all sizes and industry sectors worldwide. It is the second annual research study by ISSA and ESG.
Survey Findings
As in the past, a majority of survey respondents (70 percent) believes that the cyber security skills shortage has had an impact on their organization. However, most of these same organizations (62 percent) are falling behind in providing an adequate level of training for their cyber security professionals. This is an increase of nearly 10 percent compared to last year.
Further, the report confirms that the cyber security skills shortage is exacerbating the number of data breaches: Forty-five percent of organizations experienced at least one security event over the past two years. Moreover, 91 percent of survey respondents believe most organizations are vulnerable to a significant cyber-attack or data breach.
The cyber security skills shortage represents the top two contributing factors to these security events, with the first being a lack of adequate training of non-technical employees (31 percent) and the second being a lack of adequate cyber security staff (22 percent). These are followed by business executive management making cyber security a low priority (20 percent).
Additionally, there continues to be acute shortages in key areas with little improvement from last year. Thirty-one percent of respondents point to a shortage of security analysis and investigations skills, 31 percent indicate a shortage of application security skills, and 29 percent claim a shortage of cloud computing security skills.
Serious Implications
ISSA and ESG indicate that these findings should serve as a warning to organizations trying to defend against increasing threats and regulatory demands. Their cyber security teams are understaffed and lacking advanced skills.
“The cyber security skills shortage represents an existential threat to our national security, and this year-over-year comparison data bears out this fact. We are not making progress, cyber security professionals can’t scale, and the implications of the skills shortage are becoming more pervasive and ominous. It is clear that the solution must be about more than filling jobs. It is about creating an environment from the top down of cyber security as a priority,” said Jon Oltsik, senior principal analyst at ESG and the author of the survey report.
“While there are many studies on the cyber security workforce gap, this is the only one to identify and go after the root cause of the deepening cyber security skills gap and provide actionable steps that every organization can take. The findings are clear that, while organizations have been investing in new cyber security technology, they are not investing enough in their people. We, as a profession, need to help business understand the cyber security skills investment vs. risk tradeoff,” said Candy Alexander, member of the ISSA International Board of Directors and chief architect of the ISSA Cyber Security Career Lifecycle.
Top Mistakes and Fixes
ISSA and ESG share the top five cyber security investment mistakes and fixes for businesses, based on survey findings:
1. Not aligning cyber security and business goals. Respondents suggest the number one most beneficial action organizations can take is adding goals and metrics to IT and business managers (43 percent) and vice versa.
2. Not building repeatable processes. Survey respondents say one of the top two cyber security challenges is too many manual and informal processes for cyber security (28 percent). They suggest that the number two most beneficial action organizations can take is to document and formalize all cyber security processes (41 percent).
3. Not investing in training. Although companies are increasing their cyber security spend, especially in technology, they are investing in the wrong places. Survey respondents suggest that three of the most beneficial actions organizations can take are investing in more training and education at all levels, from non-technical employees and IT and cyber security teams to executive management.
4. Not providing the right training. Survey respondents by far look to specific training courses (76 percent) and professional development organizations (71 percent) to build knowledge, skills, and abilities (KSAs), rather than security certifications. Organizations can also employ more sophisticated and continuous training, such as just-in-time online training, and focus on specific skills including application and cloud security, and map these into training plans for overall career path development.
5. Not assuming a perpetual skills shortage in future planning and strategy. Survey respondents say the number one cyber security challenge is the cyber security staff being understaffed for the size of their organization (29 percent). With no end in sight on this issue, organizations can create aggressive programs for recruiting talent from IT teams, especially IT operations and networking technology expe