Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

Organizations Still Struggle to Hire & Retain Infosec Employees: Report

Security leaders are challenged to fill application security and cloud computing jobs in particular, survey data shows.

BLACK HAT USA 2021 — Las Vegas — Is the cybersecurity skills shortage overstated? No, according to a recent survey of Information Systems Security Association (ISSA) members. The majority of respondents report the skills shortage is a significant problem that is hurting organizations. 

ISSA, along with industry analyst firm Enterprise Strategy Group (ESG), surveyed 489 cybersecurity professionals and found 57% of organizations have been affected by the skills shortage. Most (95% of) respondents think the cybersecurity skills shortage and its associated effects have not improved over the past few years, and 44% say the problem has gotten worse. Only 5% say the shortage has improved.

"We are just not making progress," said ESG Analyst Jon Oltsik, who co-presented the data with Candy Alexander, Board President of ISSA International, in a session at this week's Black Hat conference titled "The Life and Times of the Cybersecurity Professional". 

Security teams are feeling pinched because of the skills shortage, the top ramifications of which include an increasing workload for cybersecurity teams (62%), unfilled open job requisitions (38%), and high burnout among staff (38%).

Data shows the top 3 skills areas where a shortage is most acute are cloud computing security (39%), security analysis and investigations (30%), and application security (30%).

"Application security is an area that has been underinvested in for years," said Oltsik. "But in an era of cloud native applications, development automation, of DevOps, it's become even more important."

Alexander noted that the cultural tension between DevOps and security continues because of a lack of skilled help in application security.

"God bless the developers," she said. "This has been a fight we've been trying to break through in the ISSA. We're really trying to have a common understanding and language of how can we partner to be better at developing secure applications."

What actions can security leaders take to address the security skill shortage? Respondents were asked what they could do. Their top answers included increasing the commitment to cybersecurity training (39%), increasing compensation (37%), and providing incentives (35%).

To maintain and advance their skillsets, many security professionals need to participate in 40 hours of training each year. Nearly a quarter (21%) of those surveyed did not meet 40 hours of training per year. The main reason, as cited by 48% of respondents, is because their jobs do not pay for 40 hours of training per year and they can't afford it by themselves.

"Professionals are crying out for more training," said Oltsik. "Training is beneficial. It will decrease risk at your organization, so this is really important."

The full report can be found here.

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23478
PUBLISHED: 2021-09-22
Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.
CVE-2020-23481
PUBLISHED: 2021-09-22
CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field.
CVE-2020-23469
PUBLISHED: 2021-09-22
gmate v0.12+bionic contains a regular expression denial of service (ReDoS) vulnerability in the gedit3 plugin.
CVE-2021-21991
PUBLISHED: 2021-09-22
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server...
CVE-2021-21992
PUBLISHED: 2021-09-22
The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service ...