It won’t come as much of a surprise to cybersecurity professionals that a shortage of cybersecurity skills is becoming more acute. A new survey of 343 cybersecurity professionals published by the Information Systems Security Association (ISSA) in collaboration with the market research firm Enterprise Strategy Group (ESG) finds that not only do 70 percent say the cybersecurity skills shortage has had an impact on their organization; a full 62 percent say their organizations are falling behind in providing an adequate level of training for their cybersecurity professionals. That represents a full 10 percentage point game over the same survey conducted by ISSA last year.
Specifically, a shortage of security analysis and investigations skills tied with a shortage of application security skills as the highest cause for concern (31%); followed closely by 29 percent citing a shortage of cloud computing security skills.
The ISSA survey goes on to identify the top five cybersecurity investment mistakes most organizations are making today:
1. Not Aligning Cyber Security and Business Goals: Respondents suggest the number one most beneficial action organizations can take is adding goals and metrics to IT and business managers (43 percent) and vice versa.
2. Not Building Repeatable Processes: Survey respondents say one of the top two cybersecurity challenges is reducing manual and informal processes for cybersecurity (28 percent). They suggest that the number two most beneficial action organizations can take is to document and formalize all cybersecurity processes (41 percent).
3. Not Investing in Training: Survey respondents suggest that three of the most beneficial actions organizations can take are investing in more training and education at all levels, from non-technical employees and IT and cybersecurity teams to executive management.
4. Not Providing the Right Training: Survey respondents by far look to specific training courses (76 percent) and professional development organizations (71 percent) to build knowledge, skills, and abilities (KSAs), rather than security certifications.
5. Not Assuming a Perpetual Skills Shortage in Future Planning and Strategy: Survey respondents say the number one cybersecurity challenge is the cybersecurity staff being understaffed for the size of their organization (29 percent). Organizations need to create aggressive programs for recruiting talent from IT teams, especially IT operations and networking technology experience.
There’s no doubt the average IT professional will need to play a much bigger role in cybersecurity. After all, cybercriminals are making it much simpler for people with the most rudimentary IT skills to launch attacks. Given that increased volume of attacks, everyone and anyone with IT skills within an organization needs to be actively engaged in cybersecurity.
The good news advances in analytics and artificial intelligence coupled with automation and training are being made. The State of Georgia is investing $60 million in a cybersecurity training center. There are even now advanced cybersecurity attack simulation tools from companies such as Circadence and Skaion that can be employed to train staff on what an attack on their company’s specific IT environment might require to defend.
But the odds remain stacked against cybersecurity professionals. The real issue now is how much longer can cybersecurity professionals be able to continue to defend the enterprise against hordes of attacks before being overwhelmed. There are clearly more advanced weapons beginning to make their way from the lab to the frontline. But based on all the reports coming from in from the field, time is clearly running out.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.