Cyber security professionals say adversaries have an overwhelming upper hand in the war to protect organisations from online crime – and that skills shortage in the field is making matters worse.
Those were two key findings of the third annual ESG/ISSA research report, The life and times of cybersecurity professionals 2018 published recently. Nearly three-quarters (74 per cent) of respondents say that the cybersecurity skills shortage has impacted their organisations significantly or somewhat.
Most cybersecurity professionals 91 per cent said their organisations were vulnerable to a significant cyber-attack. Ninety-four per cent said that the balance of power is with cyber-adversaries rather than cyber-defenders.
“It is worth noting that the cybersecurity skills shortage is about skills and not just job vacancies,” said Jon Oltsik, an ESG senior principal analyst, ESG fellow, and the founder of the firm’s cybersecurity service. “So, many organisations are understaffed and lacking advanced skills in areas like cloud security, threat intelligence, security investigations and forensics, etc.”
The report found that 66 per cent of respondents claim said the cybersecurity skills shortage has resulted in an increased workload on existing staff. Since there are not enough people to carry out the necessary security duties, shortages lead to increased human error, misalignment of tasks to skills, and employee burnout. About four in ten (41 per cent) of respondents said they had had to recruit and train junior employees to plug the skills gap as best they could.
Almost half of respondents (47 per cent) claimed that the cybersecurity skills shortage has resulted in an inability to fully learn or utilise some security technologies to their full potential. “Organisations are buying expensive security tools but then letting them languish since they don’t have the time or resources to take advantage of them,” Oltsik said. “Product quality doesn’t matter if no one knows how to use it properly.”
While many organisations are rushing to deploy advanced technologies and adopting “digital first” strategies, 40 per cent of respondents to the survey said they had limited time to work with business units to align cybersecurity with business processes.
“Organisations are looking at the cybersecurity skills crisis in the wrong way: it is a business, not a technical, issue. Business executives need to acknowledge that they have a key role to play in addressing this problem by investing in their people. In an environment of a ‘sellers market’ with 77 per cent of cybersecurity professionals solicited at least once per month, the research shows in order to retain and grow cybersecurity professionals at all levels, business leaders need to get involved by building a culture of support for security and value the function,” said Candy Alexander, CISSP CISM, Executive Cybersecurity Consultant and ISSA International President.
Lessons for employers