Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/9/2019
03:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How the Skills Gap Strains – and Constrains – Security Pros

New ISSA/ESG survey underscores increasing pressures and security fallout of a strapped security team.

Most cybersecurity professionals are struggling with heavier workloads and insufficient time to properly master and deploy all of their security tools' features, as well as hone their own skills, according to a new report.

The third annual Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA) International report on the state of cybersecurity professionals worldwide says nearly three-quarters of organizations are dealing with the fallout of the industry's skills gap. In the past two years, nearly half of the organizations surveyed suffered at least one damaging security incident in which a critical system was compromised, according to the report.

More than 65% of security pros say their current job demands typically impede their ability to develop and advance their skills, and 47% say they can't fully learn and use some security technologies to their "full potential."

"Cybersecurity professionals don't have the luxury of time to improve their skills and manage their careers," says Jon Oltsik, senior principal analyst and fellow at ESG and author of the report. That's a dangerous trend given the increasing demands of more IT devices, applications, and cloud migration without advancing security with these IT moves, he notes.

Overall, cybersecurity pros are fatalistic about their ability to protect their organizations from attackers: A full 91% say most organizations are vulnerable to a major cyberattack, and 94% say cybercriminals and nation-state hackers have the edge over defenders.

"Cybersecurity professionals feel their organizations are at a significant disadvantage if they don't have the ability to acquire new skills," says Candy Alexander, president of ISAA International and an executive cybersecurity consultant.

The report, which drew from a survey by ESG of 267 security and IT pros from ISSA and other groups worldwide, highlights the disconnect between the increasing demands on security pros and the lack of sufficient training and support they need to stay on top of threats.

Some 63% say their organization fails to properly train security staff, which is lacking most glaringly in cloud security, application security, and security analysis and investigation talent.

Filling vacancies and expanding teams takes time. According to a recent ISACA report, finding and hiring qualified cybersecurity pros takes longer than ever now: Thirty-two percent of organizations say filling a position takes six months, up from 26% last year, and more than 60% of organizations say positions sit vacant for at least three months, up from 55% last year.

Stressed Out
Some of the biggest stressors for security pros lie in-house: keeping abreast of new IT projects (40%), learning about new IT projects launched without input or help from the security team (39%), getting end users to embrace best security practices (38%), and getting the business side to better comprehend the risks of cyberthreats (37%).

According to Alexander, those and other organizational stresses are driving some CISOs out the door and to gigs as so-called virtual CISOs, where they operate as a contractor CISO for an organization. It's sort of a next-generation consultant role for C-level security executives. Some 10% of organizations in the survey employ a virtual CISO, while nearly 30% of CISOs in the survey work on this contractor basis, 21% are thinking about doing so, and 33% say they would weigh that option in the future.

That jibes with Alexander's own career path from a traditional CISO to virtual CISO, she says. "It's been a natural progression. Part of that driver is the frustration and stress of being an FTE [full-time employee] CISO," she says. "By going into this virtual space, I am now able to go and do the work without having to prove the value [of the work]. Organizations who hire virtual CISOs know what they need, and you're not fighting organizational challenges that could include fighting for budget."

Meanwhile, cybersecurity professionals remain in high demand in what is still a seller's market. Some 77% of cybersecurity pros are contacted by recruiters at least once a month, and 44% at least once a week. "If you want to develop your career, cybersecurity will have no shortages of offers," Oltsik notes.  

Tipping Point
Among the suggestions security pros have for their organizations is to add cybersecurity goals and metrics for IT and business managers, increase training for the security team as well as nontechnical staff, and provide higher security budgets, according to the report.

"We're at a tipping point in cybersecurity: It's more strategic to the business now, and things that were done in the past aren't really working. If you realize that's the case, then you have to start with strategic changes so the CISO can come in and ... help put [together] the right security program and strategy," Oltsik says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
bwilkes8@gmail.com
50%
50%
[email protected],
User Rank: Moderator
5/10/2019 | 1:52:23 PM
How the Skills Gap Strains – and Constrains – Security Pros
Kelly great article.  Is it possible the industry professionals are creating or perpetuating the problem?  I learned from a senior military NCO many years ago, "You're expendable!"  For these professionals to make the statement "they don't have time", sets themselves and the company they work for up for failure, disaster, breaches, you pick.  I took from your article that this is a mentality of the sky is falling in the security realm.  May I ask, how many of these companies are helping themselves and their security team by creating or are actively engaged in finding a solution outside of the traditional ways? This is a self-inflicted wound as we'd say in the military.  It could have been avoided, most importantly it can be corrected.  This situation is a SNAFU and not a FUBAR.

Kelly, if such a high percentage believe the Opposing Force has the edge, a repeatable solution has to be implemented to stave them off.  Are these professionals in your article advocating change within their company or are they simply just dealing with it?

Of the 65% impeded by their jobs, what percentage have onboarded a junior security member?  How many are willing to take on a junior member to mentor?  Is it more productive to be tired and burned out as security professional or to be focused?  How many have made an investment to aid in growth?  I've read many articles similar to yours stating the same thing, but I've only read one this year where the writer proposed a solution.  Here's my two cents.

Investing is done with a goal of receiving "something" in the near or distance future.  Investing is intentional and planned.  Investing is purposeful, planned and should be well executed.  How many of the professionals surveyed are investing in an aspiring or junior security professional?  "Nothing from nothing leaves nothing", no investing in the future means no return, therefore, no gain or in this case no progress in finding a solution to the frustration and burnout these professionals are experiencing.

As as an SME in my fields, in the military, I learned when and what to delegate.  Without delegation being overworked, stressed and substandard performance are guaranteed.  Delegation is not dumping your undesired tasks onto some else's plate, it's giving another individual the opportunity to learn, with oversight.  Yes, you have will spend time training that individual and in the beginning your workload is increased, but in the end a professional is created and a more manageable workload surfaces.  Oversimplified?  Yes, it is, but it's a recipe for a beginning.

I was trained to find solutions to problems and that failure was not an option.  This crisis in the making is manageable.  Just my two cents.
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: How do you like our new spear phishing email solution?
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations’ risk exposure. While many are confident in their security strategies and processes, they’re also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18881
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
CVE-2019-18882
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
CVE-2019-18873
PUBLISHED: 2019-11-12
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the pa...
CVE-2019-18874
PUBLISHED: 2019-11-12
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.