Cyber security professionals say adversaries have an overwhelming upper hand in the war to protect organisations from online crime – and that skills shortage in the field is making matters worse.

Those were two key findings of the third annual ESG/ISSA research report, The life and times of cybersecurity professionals 2018  published recently. Nearly three-quarters (74 per cent) of respondents say that the cybersecurity skills shortage has impacted their organisations significantly or somewhat.

Most cybersecurity professionals 91 per cent said their organisations were vulnerable to a significant cyber-attack. Ninety-four per cent said that the balance of power is with cyber-adversaries rather than cyber-defenders.

“It is worth noting that the cybersecurity skills shortage is about skills and not just job vacancies,” said Jon Oltsik, an ESG senior principal analyst, ESG fellow, and the founder of the firm’s cybersecurity service. “So, many organisations are understaffed and lacking advanced skills in areas like cloud security, threat intelligence, security investigations and forensics, etc.”

The report found that 66 per cent of respondents claim said the cybersecurity skills shortage has resulted in an increased workload on existing staff. Since there are not enough people to carry out the necessary security duties, shortages lead to increased human error, misalignment of tasks to skills, and employee burnout. About four in ten (41 per cent) of respondents said they had had to recruit and train junior employees to plug the skills gap as best they could.

Wasted investment

Almost half of respondents (47 per cent) claimed that the cybersecurity skills shortage has resulted in an inability to fully learn or utilise some security technologies to their full potential. “Organisations are buying expensive security tools but then letting them languish since they don’t have the time or resources to take advantage of them,” Oltsik said. “Product quality doesn’t matter if no one knows how to use it properly.”

While many organisations are rushing to deploy advanced technologies and adopting “digital first” strategies, 40 per cent of respondents to the survey said they had limited time to work with business units to align cybersecurity with business processes. 

“Organisations are looking at the cybersecurity skills crisis in the wrong way: it is a business, not a technical, issue. Business executives need to acknowledge that they have a key role to play in addressing this problem by investing in their people. In an environment of a ‘sellers market’ with 77 per cent of cybersecurity professionals solicited at least once per month, the research shows in order to retain and grow cybersecurity professionals at all levels, business leaders need to get involved by building a culture of support for security and value the function,” said Candy Alexander, CISSP CISM, Executive Cybersecurity Consultant and ISSA International President.

Lessons for employers

  • Look for cybersecurity bodies in new places. Typically, cybersecurity professionals come from three areas: IT, enforcement, and the military, but these wells seem to be running dry. To bridge this gap, organisations must be more creative by recruiting outside these safe havens.
  • Push for more internal cybersecurity training. Cybersecurity training levels are inappropriately low at many organisations, increasing cyber-risk. A cybersecurity career demands continuing education, so information security managers must make education and training a top priority –  including encouraging staff to join professional organisations, attend trade shows, and pursue advanced training courses. 
  • Create a centre of cybersecurity excellence. Job satisfaction is greatest among cybersecurity professionals at organisations that provide adequate levels of training, have a cybersecurity culture, and employ a talented cybersecurity staff. That involves partnering with chief executive officers and business leaders to create a hands-on cybersecurity culture. 
  • Professionalise incident response. Organisations must have skills and processes in place to detect and respond to security incidents as quickly as possible. CISOs must assess their abilities in these areas and seek out help if they aren’t up to the critical tasks at hand. Furthermore, organisations must replace informal and manual processes with best practices.

Read The life and times of cybersecurity professionals 2018.