The Skills Gap Is Increasing Risk & Exposure To Attack

The skills gap leapt an astonishing 73 percent in the UK last year, according to the ISC(2) 2022 Cybersecurity Workforce Study, and globally it’s estimated there are 3.4million vacancies in the sector. Given that the global cybersecurity workforce itself totals 4.7million, that means there’s a deficit of 42 percent in real world terms.

The effects of these shortages are now becoming apparent, with organisations struggling to recruit sufficient talent and to maintain security levels. 

Last year, a report by The World Economic Forum found that 60% said they would “find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team”. Such fears are proving justified given that, of those businesses that suffered a cyber attack, 69% were found to be “somewhat or significantly understaffed”, according to the ISACA State of Cybersecurity 2022 report. 

Furthermore, the Fortinet Cybersecurity Skills Gap Global Research Report found 80 percent of the organisations it surveyed worldwide had suffered one or more breaches that could be attributed to a lack of cybersecurity skills and 67 percent agreed that the shortage of qualified cybersecurity candidates was creating additional risk.

Where The Holes Are Appearing

So how are those risks manifesting themselves? It stands to reason that the security team will have to prioritise workloads and that some of the more ‘mundane’ tasks will therefore be side-lined. Teams report there is now insufficient time to carry out risk assessment and management (reported by 48 percent, up from 31 percent the previous year), oversights in process and procedure (43 percent, up from 29 percent) and tardy patching (39 percent, up from 29 percent), according to the ISC(2) report. 

What this means in practice is that the security team becomes less proactive and more reactive, inevitably leading us back to a whack-a-mole approach to security. Small wonder, then, that Gartner has stated that by 2025, “lack of talent and human failure will be responsible for over half of significant cyber incidents”.

Shortages can also result in job creep, whereby those on the team are given more work to do or tasks they are not trained in. A recent The State of Security 2022 report from Splunk has found that 76 percent of security team members have been forced to take on responsibilities they are not ready for, leading them to feel overstretched, under pressure and are at risk of making a mistake. This, in turn, creates a vicious cycle because disillusioned and stressed employees are more likely to leave. So, too, as it happens are those in organisations where a breach occurs, with 54 percent of all staff saying they would consider walking post-breach, which reveals just how critical security is to confidence in the company.

The bad news is that there’s little prospect of the situation improving. The Department for Digital, Culture, Media and Sport (DCMS), revised its projection up by over 40 percent last year, stating that 14,100 new entrants were needed annually to meet demand. While, at the other end of the spectrum, we’re seeing experienced professionals leave in their droves, with recent research revealing 32 percent of CISOs and Security Managers in the UK and US are considering quitting

Addressing The Shortfall

Yet the good news is that companies are beginning to explore other options to help resolve the shortfall. There’s now more emphasis on retention, for example, with the ISC)2) study finding that proactive measures can really make a difference. Making employees feel their contributions are valued, providing them with training and scoping out a career plan can all help encourage staff to stay. Look internally, too, at where you can provide opportunities for staff to move into security from other departments and put in place a mentorship scheme to support them. 

Another avenue to explore is automation, with around a quarter of those questioned in the ISC(2) study intending to invest in the future. Such cybersecurity solutions can be invaluable in automating repeatable processes, enabling security teams to focus on higher level tasks, increasing productivity and alleviating stress. But they are a supplement to, rather than a substitute for, talent.

What many need to do is to reappraise their recruitment strategies. Diversity, Equity and Inclusion (DEI) drives are helping to open up the playing field but there’s still an over-emphasis on qualifications and certifications that can see viable candidates excluded from the process. Instead, look at any transferable skills candidates may have, such as soft skills in communication and leadership, and seek to test their aptitude and problem-solving skills during the interview process. 

Nearly half of those now working in the profession under 30 years old came from a career outside of IT, according to the ISC(2), which means people are fighting the tide to enter the profession from unrelated disciplines. If we don’t give the opportunity to prove themselves, we deny them a promising career and the sector the new recruits it so desperately needs. 

Jamal Elmellas is COO of Focus-on-Security

You Might Also Read: 

Is Standardisation Of The Cybersecurity Profession A Good Thing?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« President Biden Forbids Spyware From Government Use
Phishing Kits: The New Frontier For Hackers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

InfoWatch

InfoWatch

InfoWatch solutions allow you to protect data and information assets that are critically important to your business.

Mitchell Sandham

Mitchell Sandham

Mitchell Sandham is an, independent insurance and financial services brokerage. Business products include Cyber/Privacy Liability insurance.

Deep Instinct

Deep Instinct

Deep Instinct provides comprehensive defense that is designed to protect against the most evasive unknown malware in real-time, across an organization’s endpoints, servers, and mobile devices.

FixMeStick

FixMeStick

FixMeStick is a virus removal device, a USB key that removes malware conventional antivirus software often can’t detect.

GuardKnox

GuardKnox

GuardKnox protects the users of connected vehicles against threats that can endanger their physical safety and the safety of their personal information.

IDpendant

IDpendant

IDpendant offers a wide range of services, including authentication technology, client security products, single sign on systems, encryption solutions, card and mobile device management systems.

Namogoo

Namogoo

Namogoo’s disruptive technology identifies and blocks unauthorized product ads that are injected into customer web sessions by client-side Digital Malware.

National Cyber Security Agency (NACSA) Malaysia

National Cyber Security Agency (NACSA) Malaysia

NACSA is the leading government agency in Malaysia responsible for the development and implementation of national cyber security management policie and strategies.

Mitre ATT&CK

Mitre ATT&CK

MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

Solidified

Solidified

Solidified is the largest audit platform for smart contracts. Our community has the highest concentration of top Blockchain security specialists and best-in-class code auditors.

Spin Technology

Spin Technology

SpinOne is a SaaS data protection platform designed to monitor, secure, and back up your G Suite and O365 data, improve compliance, and reduce IT costs.

CENSUS

CENSUS

CENSUS is a Cybersecurity services provider offering services to multiple industries worldwide such as Security Testing, Code Auditing, Secure SDLC, Vulnerability Research and Consulting Services.

JupiterOne

JupiterOne

JupiterOne is the security product that is changing how organizations manage and secure their software defined assets.

Sentor Managed Security Services

Sentor Managed Security Services

Sentor Managed Security Services is a cybersecurity company that enables organizations to exist in a digitally connected world.

Cyvatar

Cyvatar

Cyvatar is a technology-enabled cyber security as a service (CSaaS) provider delivering smarter managed security to help you achieve compliance and security faster and more efficiently.

Appknox

Appknox

Appknox is the world’s most powerful plug-and-play security platform that helps developers, security researchers, and enterprises to build a safe and secure mobile ecosystem.

AccessIT Group

AccessIT Group

AccessIT Group is a specialized cybersecurity solutions provider offering a full range of advanced security services.