Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

End of Bibblio RCM includes -->

Organizations Still Struggle to Hire & Retain Infosec Employees: Report

Security leaders are challenged to fill application security and cloud computing jobs in particular, survey data shows.

BLACK HAT USA 2021 — Las Vegas — Is the cybersecurity skills shortage overstated? No, according to a recent survey of Information Systems Security Association (ISSA) members. The majority of respondents report the skills shortage is a significant problem that is hurting organizations. 

ISSA, along with industry analyst firm Enterprise Strategy Group (ESG), surveyed 489 cybersecurity professionals and found 57% of organizations have been affected by the skills shortage. Most (95% of) respondents think the cybersecurity skills shortage and its associated effects have not improved over the past few years, and 44% say the problem has gotten worse. Only 5% say the shortage has improved.

"We are just not making progress," said ESG Analyst Jon Oltsik, who co-presented the data with Candy Alexander, Board President of ISSA International, in a session at this week's Black Hat conference titled "The Life and Times of the Cybersecurity Professional". 

Security teams are feeling pinched because of the skills shortage, the top ramifications of which include an increasing workload for cybersecurity teams (62%), unfilled open job requisitions (38%), and high burnout among staff (38%).

Data shows the top 3 skills areas where a shortage is most acute are cloud computing security (39%), security analysis and investigations (30%), and application security (30%).

"Application security is an area that has been underinvested in for years," said Oltsik. "But in an era of cloud native applications, development automation, of DevOps, it's become even more important."

Alexander noted that the cultural tension between DevOps and security continues because of a lack of skilled help in application security.

"God bless the developers," she said. "This has been a fight we've been trying to break through in the ISSA. We're really trying to have a common understanding and language of how can we partner to be better at developing secure applications."

What actions can security leaders take to address the security skill shortage? Respondents were asked what they could do. Their top answers included increasing the commitment to cybersecurity training (39%), increasing compensation (37%), and providing incentives (35%).

To maintain and advance their skillsets, many security professionals need to participate in 40 hours of training each year. Nearly a quarter (21%) of those surveyed did not meet 40 hours of training per year. The main reason, as cited by 48% of respondents, is because their jobs do not pay for 40 hours of training per year and they can't afford it by themselves.

"Professionals are crying out for more training," said Oltsik. "Training is beneficial. It will decrease risk at your organization, so this is really important."

The full report can be found here.

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41347
PUBLISHED: 2022-09-26
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The Sudo configuration permits the zimbra user to execute the NGINX binary as root with arbitrary parameters. As part of its intended functionality, NGINX can load a user-defined configuration file, which includes pl...
CVE-2022-41352
PUBLISHED: 2022-09-26
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also...
CVE-2022-3297
PUBLISHED: 2022-09-25
Use After Free in GitHub repository vim/vim prior to 9.0.0579.
CVE-2022-41343
PUBLISHED: 2022-09-25
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.
CVE-2022-3296
PUBLISHED: 2022-09-25
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.