How the Skills Gap Strains – and Constrains – Security ProsNew ISSA/ESG survey underscores increasing pressures and security fallout of a strapped security team.
Most cybersecurity professionals are struggling with heavier workloads and insufficient time to properly master and deploy all of their security tools' features, as well as hone their own skills, according to a new report.
The third annual Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA) International report on the state of cybersecurity professionals worldwide says nearly three-quarters of organizations are dealing with the fallout of the industry's skills gap. In the past two years, nearly half of the organizations surveyed suffered at least one damaging security incident in which a critical system was compromised, according to the report.
More than 65% of security pros say their current job demands typically impede their ability to develop and advance their skills, and 47% say they can't fully learn and use some security technologies to their "full potential."
"Cybersecurity professionals don't have the luxury of time to improve their skills and manage their careers," says Jon Oltsik, senior principal analyst and fellow at ESG and author of the report. That's a dangerous trend given the increasing demands of more IT devices, applications, and cloud migration without advancing security with these IT moves, he notes.
Overall, cybersecurity pros are fatalistic about their ability to protect their organizations from attackers: A full 91% say most organizations are vulnerable to a major cyberattack, and 94% say cybercriminals and nation-state hackers have the edge over defenders.
"Cybersecurity professionals feel their organizations are at a significant disadvantage if they don't have the ability to acquire new skills," says Candy Alexander, president of ISAA International and an executive cybersecurity consultant.
The report, which drew from a survey by ESG of 267 security and IT pros from ISSA and other groups worldwide, highlights the disconnect between the increasing demands on security pros and the lack of sufficient training and support they need to stay on top of threats.
Some 63% say their organization fails to properly train security staff, which is lacking most glaringly in cloud security, application security, and security analysis and investigation talent.
Filling vacancies and expanding teams takes time. According to a recent ISACA report, finding and hiring qualified cybersecurity pros takes longer than ever now: Thirty-two percent of organizations say filling a position takes six months, up from 26% last year, and more than 60% of organizations say positions sit vacant for at least three months, up from 55% last year.
Some of the biggest stressors for security pros lie in-house: keeping abreast of new IT projects (40%), learning about new IT projects launched without input or help from the security team (39%), getting end users to embrace best security practices (38%), and getting the business side to better comprehend the risks of cyberthreats (37%).
According to Alexander, those and other organizational stresses are driving some CISOs out the door and to gigs as so-called virtual CISOs, where they operate as a contractor CISO for an organization. It's sort of a next-generation consultant role for C-level security executives. Some 10% of organizations in the survey employ a virtual CISO, while nearly 30% of CISOs in the survey work on this contractor basis, 21% are thinking about doing so, and 33% say they would weigh that option in the future.
That jibes with Alexander's own career path from a traditional CISO to virtual CISO, she says. "It's been a natural progression. Part of that driver is the frustration and stress of being an FTE [full-time employee] CISO," she says. "By going into this virtual space, I am now able to go and do the work without having to prove the value [of the work]. Organizations who hire virtual CISOs know what they need, and you're not fighting organizational challenges that could include fighting for budget."
Meanwhile, cybersecurity professionals remain in high demand in what is still a seller's market. Some 77% of cybersecurity pros are contacted by recruiters at least once a month, and 44% at least once a week. "If you want to develop your career, cybersecurity will have no shortages of offers," Oltsik notes.
Among the suggestions security pros have for their organizations is to add cybersecurity goals and metrics for IT and business managers, increase training for the security team as well as nontechnical staff, and provide higher security budgets, according to the report.
"We're at a tipping point in cybersecurity: It's more strategic to the business now, and things that were done in the past aren't really working. If you realize that's the case, then you have to start with strategic changes so the CISO can come in and ... help put [together] the right security program and strategy," Oltsik says.
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.