Cybersecurity professionals are undermanned for the fight against bad actors, according to new research. Altogether, 54% of organizations experienced at least one type of security incident in the last year, with a major contributing factor being that nearly one-third (31%) of cybersecurity professionals say their team isn’t large enough for the size of their organization.
According to research from Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), 46% of organizations claim to have a problematic shortage of cybersecurity skills. Another 26% point to a lack of training for non-technical employees, and 21% say that business and executive management tend to treat cybersecurity as a low priority. This data is especially troubling as it suggests that many organizations continue to lack a proportional commitment to cybersecurity.
Accordingly, organizations have experienced a multitude of cybersecurity incidents in 2016; for example, 39% of cybersecurity professionals say that their organization has experienced one or more incidents, resulting in the need to reimage one or more endpoint or server; 27% have experienced a ransomware incident; 20% have experienced at least one security incident that disrupted a business application; and 19% have experienced at least one security incident that disrupted a business process.
Also, 69% of cybersecurity professionals say that the global cybersecurity skills shortage has had an impact on the organization they work for beyond successful attacks. More than half (54%) say the cybersecurity skills shortage has resulted in an increasing workload on existing staff, 35% say it has forced them to hire and train junior employees rather than bring on more experienced cybersecurity professionals, and 35% say that the cybersecurity skills shortage has led to the inability to learn or fully utilize some of their security technologies.
Further, organizations have acute cybersecurity skills deficiencies in several areas. Aside from day-to-day operational issues, many organizations have severe skills shortage in particular areas. For example, one-third of organizations say they have a shortage of security analysis and investigation skills, 32% report skills shortages with application security, 22% claim to have a shortage of cloud security skills, and 21% are deficient in security engineering.
“It is worth noting that these skills may require years of practical experience or knowledge in both security and other technology areas,” the report noted. “This means that firms will need to compete heavily to acquire these skills.”
As for how to improve the current situation, cybersecurity professionals were asked what type of cybersecurity actions would be most helpful to their organizations: 41% suggested increasing the cybersecurity budget, 40% proposed adding cybersecurity goals and metrics to business and IT managers’ objectives, 39% recommended increasing cybersecurity training for nontechnical employees, and 39% advised hiring more cybersecurity professionals.
Cybersecurity professionals also want more help from their governments. More than half (57%) of cybersecurity professionals believe that their government should be significantly more active with cybersecurity strategy and defense while another 32% say that their government should be somewhat more active with cybersecurity strategy and defense. What types of programs would they like to see? Fifty-four percent suggest that their government create better ways to share security information with the private sector, 44% want the government to provide incentives to organizations that improve cybersecurity, and 43% would like their government to provide funding for cybersecurity training and education.
And finally, the report reveals that most cybersecurity professionals struggle to define their career paths. Nearly two-thirds (65%) of respondents do not have a clearly defined career path or plans to take their careers to the next level.
“This is likely due to the diversity of cybersecurity focus areas, the lack of a well-defined professional career development standard and map, and the rapid changes in the cybersecurity field itself,” the report concluded. “Business, IT, and cybersecurity managers, academics, and public policy leaders should take note of today’s cybersecurity career morass and develop and promote more formal cybersecurity guidelines and frameworks that can guide cybersecurity professionals in their career development in the future.”