The Skills Gap Is Increasing Risk & Exposure To Attack

Uploaded on 2023-04-05 in FREE TO VIEW, JOBS-Training, NEWS-Cybersecurity News

The skills gap leapt an astonishing 73 percent in the UK last year, according to the ISC(2) 2022 Cybersecurity Workforce Study, and globally it’s estimated there are 3.4million vacancies in the sector. Given that the global cybersecurity workforce itself totals 4.7million, that means there’s a deficit of 42 percent in real world terms.

The effects of these shortages are now becoming apparent, with organisations struggling to recruit sufficient talent and to maintain security levels. 

Last year, a report by The World Economic Forum found that 60% said they would “find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team”. Such fears are proving justified given that, of those businesses that suffered a cyber attack, 69% were found to be “somewhat or significantly understaffed”, according to the ISACA State of Cybersecurity 2022 report. 

Furthermore, the Fortinet Cybersecurity Skills Gap Global Research Report found 80 percent of the organisations it surveyed worldwide had suffered one or more breaches that could be attributed to a lack of cybersecurity skills and 67 percent agreed that the shortage of qualified cybersecurity candidates was creating additional risk.

Where The Holes Are Appearing

So how are those risks manifesting themselves? It stands to reason that the security team will have to prioritise workloads and that some of the more ‘mundane’ tasks will therefore be side-lined. Teams report there is now insufficient time to carry out risk assessment and management (reported by 48 percent, up from 31 percent the previous year), oversights in process and procedure (43 percent, up from 29 percent) and tardy patching (39 percent, up from 29 percent), according to the ISC(2) report. 

What this means in practice is that the security team becomes less proactive and more reactive, inevitably leading us back to a whack-a-mole approach to security. Small wonder, then, that Gartner has stated that by 2025, “lack of talent and human failure will be responsible for over half of significant cyber incidents”.

Shortages can also result in job creep, whereby those on the team are given more work to do or tasks they are not trained in. A recent The State of Security 2022 report from Splunk has found that 76 percent of security team members have been forced to take on responsibilities they are not ready for, leading them to feel overstretched, under pressure and are at risk of making a mistake. This, in turn, creates a vicious cycle because disillusioned and stressed employees are more likely to leave. So, too, as it happens are those in organisations where a breach occurs, with 54 percent of all staff saying they would consider walking post-breach, which reveals just how critical security is to confidence in the company.

The bad news is that there’s little prospect of the situation improving. The Department for Digital, Culture, Media and Sport (DCMS), revised its projection up by over 40 percent last year, stating that 14,100 new entrants were needed annually to meet demand. While, at the other end of the spectrum, we’re seeing experienced professionals leave in their droves, with recent research revealing 32 percent of CISOs and Security Managers in the UK and US are considering quitting

Addressing The Shortfall

Yet the good news is that companies are beginning to explore other options to help resolve the shortfall. There’s now more emphasis on retention, for example, with the ISC)2) study finding that proactive measures can really make a difference. Making employees feel their contributions are valued, providing them with training and scoping out a career plan can all help encourage staff to stay. Look internally, too, at where you can provide opportunities for staff to move into security from other departments and put in place a mentorship scheme to support them. 

Another avenue to explore is automation, with around a quarter of those questioned in the ISC(2) study intending to invest in the future. Such cybersecurity solutions can be invaluable in automating repeatable processes, enabling security teams to focus on higher level tasks, increasing productivity and alleviating stress. But they are a supplement to, rather than a substitute for, talent.

What many need to do is to reappraise their recruitment strategies. Diversity, Equity and Inclusion (DEI) drives are helping to open up the playing field but there’s still an over-emphasis on qualifications and certifications that can see viable candidates excluded from the process. Instead, look at any transferable skills candidates may have, such as soft skills in communication and leadership, and seek to test their aptitude and problem-solving skills during the interview process. 

Nearly half of those now working in the profession under 30 years old came from a career outside of IT, according to the ISC(2), which means people are fighting the tide to enter the profession from unrelated disciplines. If we don’t give the opportunity to prove themselves, we deny them a promising career and the sector the new recruits it so desperately needs. 

Jamal Elmellas is COO of Focus-on-Security

You Might Also Read: 

Is Standardisation Of The Cybersecurity Profession A Good Thing?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« President Biden Forbids Spyware From Government Use
Phishing Kits: The New Frontier For Hackers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Securosis

Securosis

Securosis is an information security research and advisory firm dedicated to improving the practice of information security.

Black Hat Briefings

Black Hat Briefings

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world.

AcceptLocal

AcceptLocal

AcceptLocal is a payments industry consultancy with expertise in payment processing, payment security, anti-money laundering and fraud prevention.

Data Recovery Services (DRS)

Data Recovery Services (DRS)

DRS provides data recovery services from media including hard disk drives, RAID, solid state disks SSD, memory sticks, USB drives, SD cards, tapes and mobile phones.

DynaRisk

DynaRisk

DynaRisk helps companies protect their staff, clients and supply chain from cyber threats by enabling people to take action for themselves.

Council for Information & Communication Technologies (CTIC)

Council for Information & Communication Technologies (CTIC)

CTIC was set up to address specific issues in the field of ICT relevant to the implementation of electronic government.

Padlock

Padlock

Padlock is a trusted platform with an intimate knowledge of the cybersecurity industry that connects businesses with freelance professionals

UNIDIR Cyber Policy Portal

UNIDIR Cyber Policy Portal

The UNIDIR Cyber Policy Portal is an online reference tool that maps the cybersecurity and cybersecurity-related policy landscape.

u-blox

u-blox

u-blox deliver leading wireless technology to reliably and securely locate and connect people and devices.

ArmorText

ArmorText

ArmorText offers a seamless channel for communication and collaboration for organizations concerned with keeping communication data private and secure.

Vilnius Tech Park

Vilnius Tech Park

The region‘s most complex and integrated ICT hub, Vilnius Tech Park aims to attract and unite innovative talent from big data, cyber security, smart solutions, fintech and digital design.

DeepView

DeepView

DeepView delivers a unified platform for managing risk on digital platforms. One interactive secure portal allowing employees to engage their networks securely and compliantly.

Traced

Traced

At Traced, our aim is to redefine mobile cyber security to provide the best possible protection to everyone against breaches of privacy and security.

JupiterOne

JupiterOne

JupiterOne is the security product that is changing how organizations manage and secure their software defined assets.

Comparitech

Comparitech

Comparitech strives to promote cyber security and privacy for all. We are committed to providing detailed information to help our readers become more cyber secure and cyber aware.

Inroad Technologies

Inroad Technologies

Inroad Technologies provide IT services that help keep your business computers, servers and networks secure and trouble-free.