Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

Cybersecurity Staffing Shortage Tied to Cyberattacks, Data Breaches

Short-staffed cybersecurity teams contribute to data breaches and cyberattacks levied against their organizations, a survey finds.

Organizations with understaffed IT security teams face a double-whammy – not enough employees to bear the workload and a greater potential they will be hit with a cyberattack or data breach, a new survey found.

The Life and Times of Cyber Security Professionals report, which surveyed 343 global infosec workers, found 22% of respondents cite their IT security team as understaffed and that the shortage of people contributed to a security event at their organization in the past two years.

"The shortage is creating massive problems for businesses," says Jon Oltsik, senior principal analyst with the Enterprise Strategy Group (ESG), which conducted the survey on behalf of the Information Systems Security Association (ISSA).

Indeed. A total of 70% of survey respondents say the cybersecurity skills shortage, which is expected to create a deficit of 1.8 million infosec jobs by 2022, has an impact on organization.

The impact these organizations are facing:  increased work among existing IT security staff (63%), the need to hire junior employees in the absence of enough available senior IT security workers (41%), and a work environment where infosec pros are constantly addressing high-alert threats, rather making long-range strategic security plans (41%).

Acute Shortage of Cybersecurity Skills

One-third of organizations say security analysis and investigations as well as application security both topped the list of IT security skills in acute shortage, followed by cloud security.

"I would focus on filling app security positions," says Candy Alexander, ISSA Cyber Security Career Lifecycle chief architect. "It's been an issue for a while and it isn't going away."

Security analysis investigation requires a special skillset, making it even more difficult to find such professionals in an already tight IT security market, she says.

In situations were certain job skills face an acute shortage, companies tend to poach another organization's IT security staff, or use an outsource service, Oltsik says.

Training 

Cybersecurity skills development is critical to keep team members sharp, 96% of survey participants agree. But 67% note that learning new skills is difficult to achieve given the heavy workload.

A lot of the headlines in the past decade have been about the cybersecurity staffing shortage, Alexander says, adding that there is not necessarily a staffing shortage but rather a problem of having a deficit of workers with the appropriate skills.

Businesses, she adds, tend to view training as sending employees to a class to listen to an instructor. But just-in-time training - where trainees get only they information they seek when they need it regarding risks they want to mitigate - is a better training method.

Just 38% of respondents say their employer provides the cybersecurity team with the right level of training to stay abreast of business and IT risks.

Job Satisfaction

The vast majority of IT security pros are very satisfied, 40%, with their current job, or at least somewhat satisfied, 48%, the survey found.

Financial compensation topped the list of job satisfaction drivers, according to 42% of survey respondents. That was followed by support and financial incentives to advance IT security careers, 38%, and business management expressing a commitment to strong cybersecurity, 37%.

These job satisfaction drivers may be important to note for retention efforts, given nearly half of the survey respondents have been approached by cybersecurity recruiters at least once a week, the survey notes.

"For businesses this is bad because it can lead to a high level of attrition and inflated salaries," Oltsik warns.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NoahData
50%
50%
NoahData,
User Rank: Apprentice
11/14/2017 | 4:27:32 AM
Cybersecurity Staffing Shortage

Real fact about the employee skills and the industries requirement seems to be a big gap in CyberSecurity.
vasukivasudav
50%
50%
vasukivasudav,
User Rank: Apprentice
11/13/2017 | 7:15:49 AM
Re: Pending Review
Great
Herve-FR
100%
0%
Herve-FR,
User Rank: Author
11/13/2017 | 3:46:02 AM
Cybersecurity Staffing Shortage
With GDPR to be live in May 2018 it is going to we worse as lot of organizations in Eruope are not really ready for !

 
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.