With employees preparing for long-term remote work that is likely to stretch into 2021 (and possibly beyond), cyber-threats are a growing concern. That means cybersecurity is increasingly valuable to businesses looking to stay afloat during uncertain times.
The reasons for this skills gap, along with all those open positions, are numerous, but a recent survey conducted by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) finds that many cybersecurity workers feel constrained by a lack of career development and training offered to them.
At the same time, security pros believe that organizations lack strategic planning when it comes to cybersecurity. The result is that enterprises that need highly-skilled and motivated employees to ensure the business is secure are not taking the right steps to nurture the talent needed to make that happen.
“The data uncovered in this research year-over-year also demonstrates that there are multiple issues contributing to the problem of ‘a cybersecurity skills gap,’ including that businesses don’t understand the role of information security, there is no clear and agreed upon career map within our profession, and cybersecurity professionals are under constant stress of attempting to improve collaboration efforts with IT,” Jon Oltsik, senior principal analyst and fellow with ESG, wrote in the report titled The Life and Times of Cybersecurity Professionals 2020.
Cybersecurity Skills by the Numbers
The survey is based on interviews with 327 cybersecurity professionals and ISSA members, with the majority working in North America and others representing Europe, Asia, and parts of Central and South America.
Of those surveyed, seven out of 10 report that their organization has been affected by the worldwide cybersecurity skills shortage. What’s more, around 45 percent believe that skills shortage has gotten worse over the past year, while 48 percent believe it has stayed about the same. Only 7 percent believe there’s been an improvement.
One reason for this muddied view of cybersecurity is that about 68 percent of those surveyed don’t believe they have a well-defined career path. When asked, about 52 percent of participants think that hands-on skills count the most, while 44 percent believe that hands-on experience (combined with certifications) are equally important.
Steve Durbin, managing director of the not-for-profit Information Security Forum, believes that one of the major issues with this skills gap is a disconnect between human resources and the security teams. Simply put, HR doesn’t quite realize which cybersecurity skills are important, and the demands that protecting the enterprise from threats (both internal and external) have on cybersecurity professionals.
“This hinders the organization’s ability to identify relevant talent and provide adequate support for the professional development of the security workforce,” Durbin told Dice. “To bridge the divide, the information security function needs to adopt a series of well-established HR concepts. Workforce planning, the adoption of competency frameworks, along with a well-structured workforce management program, also known as talent management, are fundamental to the future success of attraction and retention strategies.”
COVID-19 Adds to the Security Headache
The ESG and ISSA study was conducted in late 2019 and early 2020, which means the survey’s results likely missed the effects that COVID-19 is having on the cybersecurity profession. The pandemic has unleashed more stress on security pros trying to ensure workers and data stay safe outside the confines of the traditional corporate IT network.
Even before COVID-19 hit, however, the skills gap was getting wider, and open positions more numerous.
A November 2019 report by the International Information System Security Certification Consortium, (ISC)², found that, while there were approximately 2.8 million security professionals working worldwide at the time, another 4 million trained professionals are still needed to close the cybersecurity skills gap. That’s an increase of 145 percent.
Durbin believes that, in the world of COVID-19, enterprises and organizations need to rethink their approach to how they recruit and hire cybersecurity professionals. He recommends businesses develop champion or ambassadorial programs to reinforce the value of a career in information security, as well as consider new methods to encourage the recruitment of competencies and skills that are under-represented in the organization.
“In today’s COVID-19 reality, to rectify the continued cyber skills shortage, organizations are being encouraged to realign their focus to candidates with aptitude, attitude and broad experience,” Durbin said. “Redefining candidate requirements will enable organizations to expand their group of potential candidates, helping to build tomorrow’s security workforce in a cost-effective and timely manner.”
He added: “To build a sustainable security workforce, organizations should adapt to market demands by seeking candidates with diverse competencies and skill sets coupled with providing competitive benefits and structured career development. For some these changes are already underway but for the majority, the approach is still new and untried.”
More Effective Security Leadership
In addition to other findings, the ESG and ISSA survey notes that lack of training and career development can have an impact on the effectiveness of an organization’s CISO and how workers view their boss.
Of those surveyed, about 42 percent rated their organization’s CISO as “very” effective, while another 47 percent thought of their security leader as “somewhat” effective. Another 12 percent rated their CIS as “not very” or “not at all” effective.
“Overall, there is room for improvement,” Oltsik wrote in the report. “This may reveal that few CISOs have the blend of business, leadership, communications, and technical skills necessary for success.”
One way for a CISO to become more effective is to ensure that cybersecurity is a shared burden across the whole enterprise, said Lisa Plaggemier, the chief strategy officer at MediaPro, a Seattle-based provider of cybersecurity and privacy education. This can include a wide range of improvements, from teaching developers to incorporating good security practices into the DevOps process. Employees should also be trained to recognize threats, such as phishing, before they damage the organization.
“Providing more security knowledge to people in IT, software developers, data architects, etc. so that they can do their jobs more securely could reduce the burden on the already stretched security professionals,” Plaggemier told Dice. “Some security teams resist enabling people outside of the security function, but as long as we ‘keep it all to ourselves’ and don’t work with the business, we will perpetually feel like we don’t have enough resources to get the job done.”