The Skills Gap Is Increasing Risk & Exposure To Attack
The skills gap leapt an astonishing 73 percent in the UK last year, according to the ISC(2) 2022 Cybersecurity Workforce Study, and globally it’s estimated there are 3.4million vacancies in the sector. Given that the global cybersecurity workforce itself totals 4.7million, that means there’s a deficit of 42 percent in real world terms.
The effects of these shortages are now becoming apparent, with organisations struggling to recruit sufficient talent and to maintain security levels.
Last year, a report by The World Economic Forum found that 60% said they would “find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team”. Such fears are proving justified given that, of those businesses that suffered a cyber attack, 69% were found to be “somewhat or significantly understaffed”, according to the ISACA State of Cybersecurity 2022 report.
Furthermore, the Fortinet Cybersecurity Skills Gap Global Research Report found 80 percent of the organisations it surveyed worldwide had suffered one or more breaches that could be attributed to a lack of cybersecurity skills and 67 percent agreed that the shortage of qualified cybersecurity candidates was creating additional risk.
Where The Holes Are Appearing
So how are those risks manifesting themselves? It stands to reason that the security team will have to prioritise workloads and that some of the more ‘mundane’ tasks will therefore be side-lined. Teams report there is now insufficient time to carry out risk assessment and management (reported by 48 percent, up from 31 percent the previous year), oversights in process and procedure (43 percent, up from 29 percent) and tardy patching (39 percent, up from 29 percent), according to the ISC(2) report.
What this means in practice is that the security team becomes less proactive and more reactive, inevitably leading us back to a whack-a-mole approach to security. Small wonder, then, that Gartner has stated that by 2025, “lack of talent and human failure will be responsible for over half of significant cyber incidents”.
Shortages can also result in job creep, whereby those on the team are given more work to do or tasks they are not trained in. A recent The State of Security 2022 report from Splunk has found that 76 percent of security team members have been forced to take on responsibilities they are not ready for, leading them to feel overstretched, under pressure and are at risk of making a mistake. This, in turn, creates a vicious cycle because disillusioned and stressed employees are more likely to leave. So, too, as it happens are those in organisations where a breach occurs, with 54 percent of all staff saying they would consider walking post-breach, which reveals just how critical security is to confidence in the company.
The bad news is that there’s little prospect of the situation improving. The Department for Digital, Culture, Media and Sport (DCMS), revised its projection up by over 40 percent last year, stating that 14,100 new entrants were needed annually to meet demand. While, at the other end of the spectrum, we’re seeing experienced professionals leave in their droves, with recent research revealing 32 percent of CISOs and Security Managers in the UK and US are considering quitting.
Addressing The Shortfall
Yet the good news is that companies are beginning to explore other options to help resolve the shortfall. There’s now more emphasis on retention, for example, with the ISC)2) study finding that proactive measures can really make a difference. Making employees feel their contributions are valued, providing them with training and scoping out a career plan can all help encourage staff to stay. Look internally, too, at where you can provide opportunities for staff to move into security from other departments and put in place a mentorship scheme to support them.
Another avenue to explore is automation, with around a quarter of those questioned in the ISC(2) study intending to invest in the future. Such cybersecurity solutions can be invaluable in automating repeatable processes, enabling security teams to focus on higher level tasks, increasing productivity and alleviating stress. But they are a supplement to, rather than a substitute for, talent.
What many need to do is to reappraise their recruitment strategies. Diversity, Equity and Inclusion (DEI) drives are helping to open up the playing field but there’s still an over-emphasis on qualifications and certifications that can see viable candidates excluded from the process. Instead, look at any transferable skills candidates may have, such as soft skills in communication and leadership, and seek to test their aptitude and problem-solving skills during the interview process.
Nearly half of those now working in the profession under 30 years old came from a career outside of IT, according to the ISC(2), which means people are fighting the tide to enter the profession from unrelated disciplines. If we don’t give the opportunity to prove themselves, we deny them a promising career and the sector the new recruits it so desperately needs.
Jamal Elmellas is COO of Focus-on-Security
You Might Also Read:
Is Standardisation Of The Cybersecurity Profession A Good Thing?:
___________________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible