Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

Organizations Still Struggle to Hire & Retain Infosec Employees: Report

Security leaders are challenged to fill application security and cloud computing jobs in particular, survey data shows.

BLACK HAT USA 2021 — Las Vegas — Is the cybersecurity skills shortage overstated? No, according to a recent survey of Information Systems Security Association (ISSA) members. The majority of respondents report the skills shortage is a significant problem that is hurting organizations. 

ISSA, along with industry analyst firm Enterprise Strategy Group (ESG), surveyed 489 cybersecurity professionals and found 57% of organizations have been affected by the skills shortage. Most (95% of) respondents think the cybersecurity skills shortage and its associated effects have not improved over the past few years, and 44% say the problem has gotten worse. Only 5% say the shortage has improved.

"We are just not making progress," said ESG Analyst Jon Oltsik, who co-presented the data with Candy Alexander, Board President of ISSA International, in a session at this week's Black Hat conference titled "The Life and Times of the Cybersecurity Professional". 

Security teams are feeling pinched because of the skills shortage, the top ramifications of which include an increasing workload for cybersecurity teams (62%), unfilled open job requisitions (38%), and high burnout among staff (38%).

Data shows the top 3 skills areas where a shortage is most acute are cloud computing security (39%), security analysis and investigations (30%), and application security (30%).

"Application security is an area that has been underinvested in for years," said Oltsik. "But in an era of cloud native applications, development automation, of DevOps, it's become even more important."

Alexander noted that the cultural tension between DevOps and security continues because of a lack of skilled help in application security.

"God bless the developers," she said. "This has been a fight we've been trying to break through in the ISSA. We're really trying to have a common understanding and language of how can we partner to be better at developing secure applications."

What actions can security leaders take to address the security skill shortage? Respondents were asked what they could do. Their top answers included increasing the commitment to cybersecurity training (39%), increasing compensation (37%), and providing incentives (35%).

To maintain and advance their skillsets, many security professionals need to participate in 40 hours of training each year. Nearly a quarter (21%) of those surveyed did not meet 40 hours of training per year. The main reason, as cited by 48% of respondents, is because their jobs do not pay for 40 hours of training per year and they can't afford it by themselves.

"Professionals are crying out for more training," said Oltsik. "Training is beneficial. It will decrease risk at your organization, so this is really important."

The full report can be found here.

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-21719
PUBLISHED: 2022-01-28
GLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulnerable to reflected cross-site scripting. Version 9.5.7 contains a patch for this issue. There are no known workarounds.
CVE-2021-46547
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x2c17e. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46548
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via add_lineno_map_item at src/mjs_bcode.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46549
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via parse_cval_type at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46550
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via free_json_frame at src/mjs_json.c. This vulnerability can lead to a Denial of Service (DoS).