A small study found that many cybersecurity professionals are only somewhat confident in their CISOs and never get enough training time, but they like their jobs, mostly.
Enterprise Strategic Group (ESG) and the International Systems Security Association (ISSA) released its fourth annual cooperative research report The Life and Times of Cybersecurity Professionals 2020. The groups also conducted a second survey to understand the impact of COVID-19 on cybersecurity.
Jon Oltsik, a senior principal analyst and fellow at ESG, analyzed the survey results with answers from 327 professionals. The results showed that:
- 68% of respondents said they don’t have a well-defined career path
- 65% said their companies don’t provide enough training
- 45% believe the cybersecurity skills shortage has gotten worse over the past few years
- 29% said they’ve experienced significant personal issues due to job stress or they know someone who has
Oltsik said that the industry has not found the answer to the talent gap.
“This is a people-centric practice and we’re still behind,” he said.
At the same time, 77% said they are happy overall as a cybersecurity professional.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
The workplace impact of the skills shortage include:
- An increasing workload for existing analysts
- Unfilled open job requisitions
- An inability to learn or use cybersecurity technologies to their full potential
Oltsik said companies are not providing enough time for professional development.
“We need to keep up with training but at the same time we are too busy to keep up with training,” he said.
Oltsik said that companies that get it right have strong mentoring programs and allocate time for continuous training on a regular basis. Investing time and money in training results in better security and better morale which can lower the attrition rate. “This means changing work schedules and paying people overtime to cover for other people in training,” he said.
Oltsik said mentoring programs have to be formal and mentors should be measured on the success of their mentees.
Another effect of scrimping on training is making the ROI on security tools harder to realize. Among survey respondents who said that they didn’t have enough training time, 38% said this includes learning how to use security software.
“Companies are spending money on expensive tools but not giving people enough time to figure out how to use them correctly,” he said.
Among the respondents who have a CISO at their company, 47% said the executive was somewhat effective with 42% grading the leader as very effective.
Respondents listed communication and leadership skills as the two most important skills for a CISO.
Oltsik said that CISOs are often hampered by corporate leaders who don’t take cybersecurity as seriously as they should.
Limited confidence in cybersecurity defenses
In this year’s survey, the two organizations asked respondents to grade how well individual companies and the industry as a whole is doing to keep up with cybersecurity challenges. From the government to schools to private companies, no one got a good rating. Sixty-four percent of respondents believe their organization should be doing somewhat or a lot more to address cybersecurity challenges. This suggests a disconnect between business, IT, and security teams, or a lack of cybersecurity knowledge at the board level.
And 68% of respondents said that cybersecurity technology and service vendors should be doing somewhat or a lot more to address cybersecurity challenges. A majority of respondents also said that the cybersecurity community at large, government agencies, and public schools should all be doing more.
WFH boosts collaboration
One bright spot in the COVID-19 study was that respondents said working from home is improving collaboration among departments. Slightly more than one-third of organizations have experienced significant improvement in coordination between business, IT, and security executives as a result of COVID-19 issues. Thirty-eight percent have seen marginal improvements, and 21% aren’t convinced but hold out hope for coordination improvement.
Oltsik said the survey found that security teams were mostly prepared to support completely remote teams but not for the scale and the urgency of the shift.
“All these things became much more front and center: Policy management, remote user security, and insider attacks,” he said.