CISOs who are successful at reducing or closing the critical skills gap have the highest probability of minimizing the business impact of cyberattacks – even when budgets and staffing are constrained, according to the results of a new SANS Institute survey.
The pandemic brings uncertainty
The survey happened to kick off within days of the World Health Organization declaring COVID-19 a pandemic. As such, the results reflect a high degree of uncertainty around future hiring plans as well as an increase in plans to use outsourced services until staffing plans stabilize.
Even with the future uncertainty brought on by the pandemic, the survey covered staff changes in 2019, qualitative responses on what skills security managers see a need for, which needs they plan on staffing internally, and where they plan on using external service providers.
Closing the skills gap
Other than at very small businesses and in the government vertical, the survey found that turnover and attrition rates for cybersecurity staff is at or below industry averages. Even so, security managers indicated they tend to fall back on attrition as the reason for requesting staff increases, which reflects a lack of meaningful cybersecurity metrics being employed at many organizations.
Security operational skills were cited as most needed by survey respondents, and cloud security skills were more sought after than network or endpoint security skills.
While the most successful source for new cybersecurity employees was the company’s existing internal IT staff, hiring managers indicated they would most like to see new hires with hands-on experience using common cybersecurity products – open-source tools, in particular.
“This skills gap survey once again pointed out that despite all the headlines about a cybersecurity headcount shortage, it is really a skills gap – security people with hands-on experience with the top security tools and how to use them across hybrid cloud/on-premises systems are being hired for the skills, not just to add bodies,” says John Pescatore, SANS Director of Emerging Security Trends. “By investing in training and tools skills as well as the maintenance of those skills, the increased productivity and reduced security staff attrition provides a huge return on investment.”