International. A study notes that the cybersecurity skills shortage is worsening for the third year in a row and has affected nearly three-quarters (74 percent) of organizations, according to the annual global analysis of cybersecurity professionals, conducted by the Information Systems Security Association (ISSA) and independent industry analyst Enterprise Strategy Group (ESG).
In addition, the report confirms that cybersecurity skills shortages remain the leading cause of the rise in security incidents, as organizations continue to be plagued by the end-user's lack of cybersecurity awareness and the inability to keep up with the growing cybersecurity workload. Nearly half (48 percent) of respondents have experienced at least one security incident in the past two years with serious ramifications including lost productivity, significant resources for remediation, disruption of business processes and systems, and sensitive data breaches.
In fact, cybersecurity professionals are downright skeptical about their chances of success. Ninety-one (91) percent believe most organizations are vulnerable to a significant cyberattack. And an overwhelming 94 percent believe the balance of power is with cyber adversaries over cyber defenders. With the advantage of the skewed battlefield, organizations face growing and potentially devastating cyber risks.
Despite these findings, for the third year in a row, sixty-three (63) percent of organizations remain behind in providing an adequate level of training for their cybersecurity professionals. The sharpest skills shortage shifted this year to cloud security (33 percent), followed by application security (32 percent) and security analysis and research (30 percent).
In an era where business leaders rely more on technology for success and face greater scrutiny and accountability than ever before, this lack of progress and the resulting cyber risk to organizations and their shareholders, customers, and business partners should be a cause for concern for businesses and technology leaders alike.
Research also indicates an alarming personal impact related to cybersecurity jobs. While cybersecurity professionals remain dedicated to their craft, drawn to the profound technical challenges and moral implications, this year's study explores for the first time the causes and consequences of stress and burnout, including:
• Stressful aspects of the job: Forty (40) percent responded by responding to the security needs of new IT initiatives, followed closely by "shadow" IT initiatives, trying to get end users to better understand cyber risks and change their behavior. for the business to better understand cyber risks.
• Increased stress from new data privacy responsibilities: Nearly a year later, GDPR is in full swing, and cybersecurity teams may not be up to the task. Eighty-four (84) percent claim that their organization's cybersecurity team has played a more active role with data privacy over the past 12 months, but 21 percent do not believe the cybersecurity team has received clear instructions and 23 percent do not believe the cybersecurity team has received the appropriate level of training.
• Work-related pressures that drive virtual CISO (vCISO) as an attractive career option: ten (10) percent of organizations now employ a vCISO. In addition, 29 percent of CISOs are working as vCISO, while another 21 percent are considering it and 33 percent would consider it in the future. Nearly half say working as a vCISO brings more variety and flexibility to a CISO position. CISOs are clearly trying to avoid some politics and stress while taking more control of their careers.
• "Based on the results of research projects this year and last, it is safe to conclude that cybersecurity progress has been marginal in the best of the last three years. Esg and ISSA agree with the quote from issa Hall of Famer Security Researcher, Author and Recipient Bruce Schneier, "We may be making some cybersecurity improvements, but we are getting worse faster" This issue should be a cause for concern for technologists, business executives and private citizens and continues to cause an existential threat to national security." said Jon Oltsik, senior principal analyst and member of the Enterprise Strategy Group (ESG) and author of the report.
Top 5 Roles to Address the Cybersecurity Skills Crisis
- Business leaders: 23% of respondents say business managers do not understand or support an appropriate level of cybersecurity. Job satisfaction and employee retention depend heavily on business leadership's commitment to cybersecurity, in addition to professional incentives and competitive compensation. The number one recommended action is to add cybersecurity goals and metrics to business and IT managers.
- CISOs: CISOs need to be more active with business executives. They want a seat at the board table. CISO success depends on characteristics such as communication skills, leadership skills, a strong relationship with business executives, and a strong relationship with the CIO and IT leadership team.
- Practitioners: While 93 percent of respondents agree that cybersecurity professionals should keep up with their skills, 66 percent state that cybersecurity job demands often prevent them from developing skills. This imbalance must be addressed. In addition, 57 percent of respondents say security certifications like CISSP are much more useful for getting a job than for doing so. Prioritize the development of practical skills over certifications.
- Human resources and recruiters: Forty-one (41) percent of respondents say their organization has had to recruit and train junior staff instead of hiring more experienced infosec professionals. Designing your own training program will develop future talent and loyalty. Casting a wider net beyond IT and finding transferable business skills and transitions between careers will help expand the talent pool.
- Educators and trainers: Developing KSAs with face-to-face interaction is most effective, such as attending specific cybersecurity training courses, participating in professional organizations and events, attending trade shows, and participating in mentoring programs on the job.
- Finally, the private sector can only do much. The public sector needs help by investing more in training and education, public awareness, and scholarships and grants.
