People are the biggest challenge in cybersecurity, according to over 80% of IT security professionals.
The Institute of Information Security Professionals (IISP) polled over 300 of its members and found the “people problem” (81%) by far outweighed challenges associated with technology (8%) and process (11%).
By “people” the IISP respondents were pointing not only to regular employees making mistakes such as falling for BEC or phishing scams, or sending data to the wrong recipient, but also the challenges surrounding cybersecurity skills.
This has become an increasingly critical issue for the industry, with certifications body (ISC)² claiming in February that the UK is heading for a “cliff edge” as older practitioners retire with no younger professionals coming through to take their place.
This report also noted the changing workforce dynamic, with the volume of respondents reporting skills shortages doubling from last year to 16%. Accordingly, around three-quarters of respondents reported positive career prospects, and 87% said they think these are at least as good (51%), if not better (36%), than a year ago.
IISP predicted that in the future it could be the hands-on tecchie roles that are hardest hit, as these are the ones where young professionals typically find themselves.
Interestingly, despite the dearth of qualified professionals coming into the industry, a plurality of respondents (46%) claimed they’re doing “better” or “much better” at defending systems, versus 39% who stayed neutral and 13% who claimed “worse”.
Report author Piers Wilson said this might not last as attacks grow in volume and sophistication.
“We've not seen any let-up in technology advances on both the good and bad side of the equation. The skills crisis is very real; defense teams might be getting better but so are attackers. There is also a scalability challenge. If you are talking about 10% more attacks than this time last year you can probably cope with that; if you are talking about 50% more attacks, even by improving you might only cope with a portion of that increase,” he told Infosecurity Magazine.
“Ten years ago, not many organizations were really defending against nation state-sponsored hackers or organized crime, so basic cyber-hygiene might have been all they aimed for. But now everybody is faced with that level of sophisticated, highly organized threat actor and is aware of it. So even though cyber defenses have moved beyond the level of basic hygiene, we still find data breaches, ransomware and zero-day attacks happening.”