Dark Reading is part of the Informa Tech Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
BLACK HAT USA 2021 — Las Vegas — Is the cybersecurity skills shortage overstated? No, according to a recent survey of Information Systems Security Association (ISSA) members. The majority of respondents report the skills shortage is a significant problem that is hurting organizations.
ISSA, along with industry analyst firm Enterprise Strategy Group (ESG), surveyed 489 cybersecurity professionals and found 57% of organizations have been affected by the skills shortage. Most (95% of) respondents think the cybersecurity skills shortage and its associated effects have not improved over the past few years, and 44% say the problem has gotten worse. Only 5% say the shortage has improved.
"We are just not making progress," said ESG Analyst Jon Oltsik, who co-presented the data with Candy Alexander, Board President of ISSA International, in a session at this week's Black Hat conference titled "The Life and Times of the Cybersecurity Professional".
Security teams are feeling pinched because of the skills shortage, the top ramifications of which include an increasing workload for cybersecurity teams (62%), unfilled open job requisitions (38%), and high burnout among staff (38%).
Data shows the top 3 skills areas where a shortage is most acute are cloud computing security (39%), security analysis and investigations (30%), and application security (30%).
"Application security is an area that has been underinvested in for years," said Oltsik. "But in an era of cloud native applications, development automation, of DevOps, it's become even more important."
Alexander noted that the cultural tension between DevOps and security continues because of a lack of skilled help in application security.
"God bless the developers," she said. "This has been a fight we've been trying to break through in the ISSA. We're really trying to have a common understanding and language of how can we partner to be better at developing secure applications."
What actions can security leaders take to address the security skill shortage? Respondents were asked what they could do. Their top answers included increasing the commitment to cybersecurity training (39%), increasing compensation (37%), and providing incentives (35%).
To maintain and advance their skillsets, many security professionals need to participate in 40 hours of training each year. Nearly a quarter (21%) of those surveyed did not meet 40 hours of training per year. The main reason, as cited by 48% of respondents, is because their jobs do not pay for 40 hours of training per year and they can't afford it by themselves.
"Professionals are crying out for more training," said Oltsik. "Training is beneficial. It will decrease risk at your organization, so this is really important."
The full report can be found here.
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio
Everything You Need to Know About DNS AttacksIt's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask.
Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted.
Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Tweet This
1 Comments
