Cybersecurity skills shortage still the root cause of rising security incidents

The cybersecurity skills shortage is worsening for the third year in a row and has impacted nearly three quarters (74 percent) of organizations, as revealed in the third annual global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG).

Security incidents with serious ramifications

Further the report confirms that the cybersecurity skills shortage continues to be the root cause of rising security incidents, as organizations remain plagued by a lack of end-user cybersecurity awareness and the inability to keep up with the growing cybersecurity workload.

Almost half (48 percent) of respondents have experienced at least one security incident over the past two years with serious ramifications including lost productivity, significant resources for remediation, disruption of business processes and systems, and breaches of confidential data.

In fact, cybersecurity professionals are downright skeptical about their chances for success. Ninety-one (91) percent believe that most organizations are vulnerable to a significant cyber-attack. And an overwhelming 94 percent believe that the balance of power is with cyber-adversaries over cyber-defenders. With the battlefield advantage skewed, organizations face increasing and potentially devastating cyber-risks.

Lack of cybersecurity training

Despite these findings, for the third straight year, sixty-three (63) percent of organizations continue to fall behind in providing an adequate level of training for their cybersecurity professionals. The most acute skills shortages shifted this year to cloud security (33 percent), followed by application security (32 percent) and security analysis & investigations (30 percent).

In an era where business leaders are more reliant on technology for success and are facing more scrutiny and accountability than ever before, this lack of progress and the resulting cyber risk for organizations and their shareholders, customers and business partners should be a cause for concern for business and technology leaders alike.

The consequences of stress and burnout

The research also indicates an alarming personal impact related to cybersecurity jobs. While cybersecurity professionals remain dedicated to their craft, attracted by the deep technical challenges and moral implications, this year’s study explores for the first time the causes and consequences of stress and burnout, including:

• Stressful aspects of the job: Forty (40) percent responded with keeping up with security needs of new IT initiatives, followed closely by “shadow” IT initiatives, trying to get end-users to better understand cyber-risks and change their behavior, and trying to get the business to better understand cyber risks.
• Added stress of new data privacy responsibilities: Almost one year in, GDPR is in full swing, and cybersecurity teams may not be up to the task. Eighty-four (84) percent claim that the cybersecurity team at their organization has taken a more active role with data privacy over the past 12 months, but 21 percent don’t believe the cybersecurity team has been given clear directions and 23 percent don’t believe the cybersecurity team has been given the right level of training.
• Job-related pressures driving virtual CISO (vCISO) as attractive career option: Ten (10) percent of organizations now employ a vCISO. Furthermore, 29 percent of CISOs are working as a vCISO while another 21 percent are considering it and 33 percent would consider it in the future. Almost half claim that working as a vCISO brings more variety and flexibility to a CISO position. CISOs are clearly seeking to avoid some of the politics and stress while taking more control of their careers.

“Based upon the results of this year’s and past research projects, it is safe to conclude that cybersecurity progress has been marginal at best over the last three years. ESG and ISSA agree with security researcher, author and ISSA Hall of Fame recipient Bruce Schneier’s quote, ‘We may be making some cybersecurity improvements but we are getting worse faster.’

“This issue should be of concern to technologists, business executives and private citizens and continues to cause an existential threat to national security,” said Jon Oltsik, Senior Principal Analyst and Fellow at the Enterprise Strategy Group (ESG) and the author of the report.

“Organizations are looking at the cybersecurity skills crisis in the wrong way: it is a business, not a technical, issue. Business executives need to acknowledge that they have a key role to play in addressing this problem by investing in their people.

“In an environment of a ‘sellers market’ with 77 percent of cybersecurity professionals solicited at least once per month, the research shows in order to retain and grow cybersecurity professionals at all levels, business leaders need to get involved by building a culture of support for security and value the function,” said Candy Alexander, CISSP CISM, Executive Cybersecurity Consultant and ISSA International President.

Top 5 roles in addressing the cybersecurity skills crisis

Business Leaders: Twenty-three (23) percent of respondents say business managers don’t understand and/or support an appropriate level of cybersecurity. Job satisfaction and employee retention depends largely upon business leadership’s commitment to cybersecurity, in addition to career incentives and competitive compensation. The number one recommended action is adding cybersecurity goals and metrics to IT and business managers.

CISOs: CISOs need to be more active with business executives. They want a seat at the board table. CISO success depends upon characteristics like communication skills, leadership skills, a strong relationship with business executives, and a strong relationship with the CIO and IT leadership team.

Practitioners: While 93 percent of survey respondents agree that cybersecurity professionals must keep up with their skills, 66 percent claim that cybersecurity job demands often preclude them from skills development. This imbalance must be addressed. Additionally, 57 percent of respondents say security certifications such as CISSP are far more useful in getting a job than doing a job. Prioritize practical skills development over certifications.

HR and Recruiters: Forty-one (41) percent of survey respondents say that their organization has had to recruit and train junior personnel rather than hire more experienced infosec professionals. Designing their own training program will develop future talent and loyalty. Casting a wider net beyond IT and finding transferable business skills and cross career transitions will help expand the pool of talent.

Educators and Trainers: KSA development with face-to-face interaction is most effective, such as attending specific cybersecurity training courses, participating in professional organizations and events, attending trade shows, and participating in on-the-job mentoring programs.

Finally, the private sector can only do so much. The public sector needs to help by investing more in training and education, public awareness, and scholarships and grants.