The Skills Gap Is Increasing Risk & Exposure To Attack

The skills gap leapt an astonishing 73 percent in the UK last year, according to the ISC(2) 2022 Cybersecurity Workforce Study, and globally it’s estimated there are 3.4million vacancies in the sector. Given that the global cybersecurity workforce itself totals 4.7million, that means there’s a deficit of 42 percent in real world terms.

The effects of these shortages are now becoming apparent, with organisations struggling to recruit sufficient talent and to maintain security levels. 

Last year, a report by The World Economic Forum found that 60% said they would “find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team”. Such fears are proving justified given that, of those businesses that suffered a cyber attack, 69% were found to be “somewhat or significantly understaffed”, according to the ISACA State of Cybersecurity 2022 report. 

Furthermore, the Fortinet Cybersecurity Skills Gap Global Research Report found 80 percent of the organisations it surveyed worldwide had suffered one or more breaches that could be attributed to a lack of cybersecurity skills and 67 percent agreed that the shortage of qualified cybersecurity candidates was creating additional risk.

Where The Holes Are Appearing

So how are those risks manifesting themselves? It stands to reason that the security team will have to prioritise workloads and that some of the more ‘mundane’ tasks will therefore be side-lined. Teams report there is now insufficient time to carry out risk assessment and management (reported by 48 percent, up from 31 percent the previous year), oversights in process and procedure (43 percent, up from 29 percent) and tardy patching (39 percent, up from 29 percent), according to the ISC(2) report. 

What this means in practice is that the security team becomes less proactive and more reactive, inevitably leading us back to a whack-a-mole approach to security. Small wonder, then, that Gartner has stated that by 2025, “lack of talent and human failure will be responsible for over half of significant cyber incidents”.

Shortages can also result in job creep, whereby those on the team are given more work to do or tasks they are not trained in. A recent The State of Security 2022 report from Splunk has found that 76 percent of security team members have been forced to take on responsibilities they are not ready for, leading them to feel overstretched, under pressure and are at risk of making a mistake. This, in turn, creates a vicious cycle because disillusioned and stressed employees are more likely to leave. So, too, as it happens are those in organisations where a breach occurs, with 54 percent of all staff saying they would consider walking post-breach, which reveals just how critical security is to confidence in the company.

The bad news is that there’s little prospect of the situation improving. The Department for Digital, Culture, Media and Sport (DCMS), revised its projection up by over 40 percent last year, stating that 14,100 new entrants were needed annually to meet demand. While, at the other end of the spectrum, we’re seeing experienced professionals leave in their droves, with recent research revealing 32 percent of CISOs and Security Managers in the UK and US are considering quitting

Addressing The Shortfall

Yet the good news is that companies are beginning to explore other options to help resolve the shortfall. There’s now more emphasis on retention, for example, with the ISC)2) study finding that proactive measures can really make a difference. Making employees feel their contributions are valued, providing them with training and scoping out a career plan can all help encourage staff to stay. Look internally, too, at where you can provide opportunities for staff to move into security from other departments and put in place a mentorship scheme to support them. 

Another avenue to explore is automation, with around a quarter of those questioned in the ISC(2) study intending to invest in the future. Such cybersecurity solutions can be invaluable in automating repeatable processes, enabling security teams to focus on higher level tasks, increasing productivity and alleviating stress. But they are a supplement to, rather than a substitute for, talent.

What many need to do is to reappraise their recruitment strategies. Diversity, Equity and Inclusion (DEI) drives are helping to open up the playing field but there’s still an over-emphasis on qualifications and certifications that can see viable candidates excluded from the process. Instead, look at any transferable skills candidates may have, such as soft skills in communication and leadership, and seek to test their aptitude and problem-solving skills during the interview process. 

Nearly half of those now working in the profession under 30 years old came from a career outside of IT, according to the ISC(2), which means people are fighting the tide to enter the profession from unrelated disciplines. If we don’t give the opportunity to prove themselves, we deny them a promising career and the sector the new recruits it so desperately needs. 

Jamal Elmellas is COO of Focus-on-Security

You Might Also Read: 

Is Standardisation Of The Cybersecurity Profession A Good Thing?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« President Biden Forbids Spyware From Government Use
Phishing Kits: The New Frontier For Hackers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Imperva

Imperva

Imperva is a leading provider of data and application security solutions including DDoS protection, Web application security, Data security and Cloud security.

Seagate Technology

Seagate Technology

Seagate data storage systems are purpose-built for enterprise and data centre performance, scalability, reliability and security.

APWG

APWG

APWG is the international coalition unifying the global response to cybercrime across industry, government, law-enforcement and NGO communities.

Hogan Lovells

Hogan Lovells

Hogan Lovells is an international business law firm with offices across Europe, Asia and the USA. Practice areas include Privacy & Cybersecurity.

Wooxo

Wooxo

Wooxo provides business security and continuity solutions to protect business data for organisation of all sizes.

Protenus

Protenus

Protenus provide a solution to proactively monitor and protect patient privacy in the electronic health record (EHR).

Cienaga Systems

Cienaga Systems

Cienaga Systems is a leader in autonomous cyber threat hunting technology.

Encore Media Group

Encore Media Group

Encore Media Group provide an international enterprise technology event series exploring IoT, Blockchain AI, Big Data, 5G, Cyber Security and Cloud.

Heidrick & Struggles International

Heidrick & Struggles International

Heidrick & Struggles is a premier provider of leadership consulting and senior-level executive search services for roles including Information & Technology Officers and Cybersecurity.

Finosec

Finosec

Finosec's mission is to change the way information security and cybersecurity are managed in banking.

Nucleon Security

Nucleon Security

Nucleon Endpoint Detection and Response EDR is the most effective way to protect the value created by your organization against any threat.

SpecTrust

SpecTrust

SpecTrust provides an all-in-one defense solution for identity abuse & fraud, enabling your company's talent to stay focused on the core business.

CerraCap Ventures

CerraCap Ventures

CerraCap Ventures invest globally into early-stage B2B companies in Healthcare, Enterprise AI and Cyber Security.

SEIRIM

SEIRIM

SEIRIM delivers cybersecurity solutions in Shanghai China specializing in Web Application Security, Network Security for SME's, Vulnerability Management, and serving as Managed Security as a Service.

Strategic Technology Solutions (STS)

Strategic Technology Solutions (STS)

Strategic Technology Solutions specialize in providing Cybersecurity and Managed IT Services to the legal industry.

Intraframe US

Intraframe US

Intraframe US is a cybersecurity company in Memphis, specializing in Digital Forensics Incident Response and Managed IT services. We provide SMBs with a 24/7 SOC for proactive Cyber Threat Management.