The Skills Gap Is Increasing Risk & Exposure To Attack

The skills gap leapt an astonishing 73 percent in the UK last year, according to the ISC(2) 2022 Cybersecurity Workforce Study, and globally it’s estimated there are 3.4million vacancies in the sector. Given that the global cybersecurity workforce itself totals 4.7million, that means there’s a deficit of 42 percent in real world terms.

The effects of these shortages are now becoming apparent, with organisations struggling to recruit sufficient talent and to maintain security levels. 

Last year, a report by The World Economic Forum found that 60% said they would “find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team”. Such fears are proving justified given that, of those businesses that suffered a cyber attack, 69% were found to be “somewhat or significantly understaffed”, according to the ISACA State of Cybersecurity 2022 report. 

Furthermore, the Fortinet Cybersecurity Skills Gap Global Research Report found 80 percent of the organisations it surveyed worldwide had suffered one or more breaches that could be attributed to a lack of cybersecurity skills and 67 percent agreed that the shortage of qualified cybersecurity candidates was creating additional risk.

Where The Holes Are Appearing

So how are those risks manifesting themselves? It stands to reason that the security team will have to prioritise workloads and that some of the more ‘mundane’ tasks will therefore be side-lined. Teams report there is now insufficient time to carry out risk assessment and management (reported by 48 percent, up from 31 percent the previous year), oversights in process and procedure (43 percent, up from 29 percent) and tardy patching (39 percent, up from 29 percent), according to the ISC(2) report. 

What this means in practice is that the security team becomes less proactive and more reactive, inevitably leading us back to a whack-a-mole approach to security. Small wonder, then, that Gartner has stated that by 2025, “lack of talent and human failure will be responsible for over half of significant cyber incidents”.

Shortages can also result in job creep, whereby those on the team are given more work to do or tasks they are not trained in. A recent The State of Security 2022 report from Splunk has found that 76 percent of security team members have been forced to take on responsibilities they are not ready for, leading them to feel overstretched, under pressure and are at risk of making a mistake. This, in turn, creates a vicious cycle because disillusioned and stressed employees are more likely to leave. So, too, as it happens are those in organisations where a breach occurs, with 54 percent of all staff saying they would consider walking post-breach, which reveals just how critical security is to confidence in the company.

The bad news is that there’s little prospect of the situation improving. The Department for Digital, Culture, Media and Sport (DCMS), revised its projection up by over 40 percent last year, stating that 14,100 new entrants were needed annually to meet demand. While, at the other end of the spectrum, we’re seeing experienced professionals leave in their droves, with recent research revealing 32 percent of CISOs and Security Managers in the UK and US are considering quitting

Addressing The Shortfall

Yet the good news is that companies are beginning to explore other options to help resolve the shortfall. There’s now more emphasis on retention, for example, with the ISC)2) study finding that proactive measures can really make a difference. Making employees feel their contributions are valued, providing them with training and scoping out a career plan can all help encourage staff to stay. Look internally, too, at where you can provide opportunities for staff to move into security from other departments and put in place a mentorship scheme to support them. 

Another avenue to explore is automation, with around a quarter of those questioned in the ISC(2) study intending to invest in the future. Such cybersecurity solutions can be invaluable in automating repeatable processes, enabling security teams to focus on higher level tasks, increasing productivity and alleviating stress. But they are a supplement to, rather than a substitute for, talent.

What many need to do is to reappraise their recruitment strategies. Diversity, Equity and Inclusion (DEI) drives are helping to open up the playing field but there’s still an over-emphasis on qualifications and certifications that can see viable candidates excluded from the process. Instead, look at any transferable skills candidates may have, such as soft skills in communication and leadership, and seek to test their aptitude and problem-solving skills during the interview process. 

Nearly half of those now working in the profession under 30 years old came from a career outside of IT, according to the ISC(2), which means people are fighting the tide to enter the profession from unrelated disciplines. If we don’t give the opportunity to prove themselves, we deny them a promising career and the sector the new recruits it so desperately needs. 

Jamal Elmellas is COO of Focus-on-Security

You Might Also Read: 

Is Standardisation Of The Cybersecurity Profession A Good Thing?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« President Biden Forbids Spyware From Government Use
Phishing Kits: The New Frontier For Hackers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

SecuriThings

SecuriThings

SecuriThings is a User and Entity Behavioral Analytics (UEBA) solution for IoT security.

Boldon James

Boldon James

Boldon James are market leaders in data classification and secure messaging software.

7 Elements

7 Elements

7 Elements is an independent IT security testing company providing expertise in technical information assurance through security testing, incident response and consultancy.

Corrata

Corrata

Corrata is an award-winning provider of mobile security and data control solutions for enterprises.

EvoNexus

EvoNexus

EvoNexus is a technology startup incubator with locations in San Diego, Orange County, and Silicon Valley.

HackHunter

HackHunter

HackHunter’s passive sensor network continuously monitors, detects and alerts when a malicious WiFi network and/or hacking behaviour is identified.

Nokia

Nokia

Nokia is a proven leader in fixed, mobile and IoT security offering capabilities that range from systems design to integration and support.

Netragard

Netragard

Netragard has an established reputation for providing high-quality offensive and defensive security services.

HunCERT

HunCERT

HunCERT's mission is to assist Hungarian Internet Service Providers in applying appropriate procedures to address the risks of computer network incidents and to respond to such incidents.

CyberLab

CyberLab

CyberLab (formerly Chess) is a specialist cyber security company that provides a wide range of security solutions and services.

Managed IT Services

Managed IT Services

Managed IT Services is a managed IT Services Company offering a diverse range of Cyber Security services and IT solutions.

Archon Secure

Archon Secure

Archon GoSilent Cube delivers a CSfC-certified, plug-and-play security solution for classified and unclassified communication when using the public Internet.

We Hack Purple

We Hack Purple

We Hack Purple is a Canadian company dedicated to helping anyone and everyone create secure software.

Merlin Ventures

Merlin Ventures

Merlin Ventures is a strategic investor focused on driving growth and value for cybersecurity software companies with market-leading potential.

ZEST Security

ZEST Security

The ZEST platform natively integrates into your technology stack to make efficient risk remediation possible.

CyberSG TIG Centre

CyberSG TIG Centre

CyberSG TIG Centre aims to propel Singapore as the world’s premier cybersecurity innovation hub for economic growth.