Most organizations are falling behind when it comes to addressing the cybersecurity skills shortage, a new study found. And the effects of the shortage are worsening.
In its third year, the study conducted by the Information Systems Security Association (ISSA) and analyst firm Enterprise Strategy Group (ESG) surveyed 267 cybersecurity professionals worldwide. The cybersecurity skills shortage is now affecting 74% of organizations, according to the report, yet 63% of organizations are falling behind when it comes to providing adequate levels of training to their cybersecurity staff.
Major ramifications of the worsening cybersecurity skills shortage include the following:
- existing staff being overworked (66%);
- inability to learn about or use security technologies in the most effective way (47%);
- having to train or hire junior employees (41%); and
- limited time to work with business units (40%).
The skills shortage has been an ongoing problem for the infosec industry for some time and recently led to President Donald Trump issuing an executive order last week to address the issue.
“One of my takeaways: Nothing’s improving,” said Jon Oltsik, senior principal analyst at ESG in Milford, Mass., and author of the report. “All of the programs you hear about, [including] the executive order, all that’s good, because we are getting the attention, but none of them are making a dent in the problem.”
The top three technology areas most affected by the cybersecurity skills shortage include cloud security (33%), application security (32%), and security analysis and investigations (30%), the report found.
Cybersecurity professionals not being able to stay up to date on required work skills and knowledge puts organizations at a significant disadvantage, ISSA President Candy Alexander said.
A whopping 93% of respondents agreed they must keep up with their skills or their organization will be at risk, but 66% of respondents said it’s hard to keep up with cybersecurity skills, given the demands of their job.
“While cybersecurity professionals need to keep their skill sets up, they’re too busy, and their organization isn’t providing them with enough training,” Oltsik said. “That means I, as a cybersecurity professional, need to go out on my own and figure out how to get that training. And that’s not good for the organization, it’s not good for me, and it’s not good for any of us who depend on these people to protect our data.”
Combating the cybersecurity skills shortage
Alexander said it’s time to adopt a different approach for solving the cybersecurity skills shortage.
“I would advocate that this is really not a security problem, [and] it’s really not a technology problem –this is actually a business problem,” she said. “There’s a whole bunch of opportunity when we look at it from that business perspective, as opposed to it being a security problem.”
She advised experienced cybersecurity professionals to foster and mentor people new to the field.
“I actually see it as an opportunity to bring people in to our profession that may not have the traditional skill sets,” she said. “It’s an opportunity for us to grow them to become professionals that we need within our organizations.”
Christiaan Beek, lead scientist and senior principal engineer at McAfee, based in Santa Clara, Calif., recommended cybersecurity professionals to look for talent internally.
“There are people who are interested, and investing in the talent you have is valuable,” Beek said.
Beek also advised his peers in the industry to visit local schools to talk to students about cybersecurity.
Jon OltsikSenior principal analyst at ESG
“Honestly, nobody tells the students of today the opportunity that there is in cybersecurity and how cool the job is,” he said.
Alexander agreed more emphasis should be put on bringing people in from other organizational units that have transferable skills.
“For example, a security analyst that looks at security reports and data generated from scanning tools, they are evaluating data. So, why couldn’t we go over to the other side of the house and look at data analysts and pull them in?”
ESG’s Oltsik advised companies to consolidate their security technologies and automate as many security processes as they can.
“Another thing that we’re seeing is cybersecurity professionals are seeking help,” Oltsik said. “The services business is growing much faster than the product business in security, because organizations feel like they need help and they’re going to experts. That’s good, but they do have to develop a skill set on managing third-party service providers and not just take it for granted that those people will help them out.”
Working with the business
According to the report, 23% of respondents said business managers don’t understand or support the appropriate level of cybersecurity in their organization. Alexander encouraged cybersecurity professionals to talk to their employers and show interest in learning about their business goals and initiatives.
“Their job is to support the business and not stop it from happening,” Alexander said.
Cybersecurity professionals share the responsibility of educating the business, training them and working with them on cyber risk management, so they can manage cyber risk as a business function, both Oltsik and Alexander agreed.
Thirty-seven percent of respondents also said trying to get the business to better understand cyber risks is the most stressful aspect of their job.
“A lot of businesses use the ratio of cybersecurity staff and/or budget according to the size of staff and budget for IT,” Alexander said. “That’s just really an outdated way of looking at it, and it’s really quite dangerous. When we talk about staffing and budgets, we need to look at it from a risk perspective, as opposed to getting compared to our brethren on the technology side of the house.”