Despite increasing risks, cybersecurity professionals continue to find that their teams are understaffed and underskilled, according to a new report from the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), released Wednesday.
Some 70% of the 343 cybersecurity professionals surveyed said that the security skills shortage has had an impact on their organizations. And nearly half (45%) said that their organization had experienced at least one security event over the past two years, the report found.
In terms of factors contributing to security breaches, these professionals named a lack of adequate training of non-technical employees (31%), a lack of adequate cybersecurity staff (22%), and business executive management making cybersecurity a low priority (20%) as the largest issues.
SEE: Information security incident reporting policy (Tech Pro Research)
“The cybersecurity skills shortage is an existential threat to national security,” Jon Oltsik, senior principal analyst at ESG, said on a Wednesday media call. “It doesn’t matter what we do on the technology front and the process front if we don’t have enough people, or don’t take that into account when we make decisions. It also causes massive problems for businesses, and that will only increase.”
In terms of the top cybersecurity challenges across organizations, 29% of security professionals said their security staff was too small given the size of the organization. Meanwhile, 28% said that their business depends on too many manual or informal processes for cybersecurity, and 24% said business managers don’t understand and/or support appropriate levels of cybersecurity.
Businesses face shortage in terms of skills in certain areas as well: 31% of respondents pointed to a shortage of security analysis and investigation skills, while another 31% indicated a shortage of application security skills. Some 29% said they were experiencing a shortage of cloud computing security skills as well.
“We’re understaffed, and asking existing staff to do more work than they’re capable of doing,” Oltsik said on the call. “We have a skills deficit, not just a people deficit, and we have a training gap.”
Businesses tend to fall into common traps when it comes to investing in cybersecurity programs, Candy Alexander, a member of the ISSA International Board of Directors and chief architect of the ISSA Cyber Security Career Lifecycle, said on the media call. “Investments are not so much in training or people, but more in tech,” Alexander said. “We need to reinvest in our people to get the solutions in regards to mitigating the risks around our organizations.”
SEE: IT leader’s guide to reducing insider security threats (Tech Pro Research)
Here are the top five cybersecurity investment mistakes businesses and IT leaders tend to make, and how to fix them, according to the report.
1. Not aligning cybersecurity and business goals
Cybersecurity professionals said the most beneficial action companies can take is adding goals and metrics related to security that IT business managers and security teams can work toward.
2. Not building repeatable processes
As mentioned above, one of the top two security challenges named by security professionals is too many manual and informal security processes. These workers suggest that the second most beneficial action organizations can take is to document and formalize all cybersecurity processes.
3. Not investing in training
While companies are increasing cybersecurity budgets, they tend to invest more in technology solutions than their employees, according to the report. Investing in more training and education at all levels, from non-technical employees to the IT and security teams to executive management, is key for protecting organizations.
4. Not providing the right training
Cybersecurity professionals said they look to specific training courses (76%) and professional development organizations (71%) to build knowledge, skills, and abilities, rather than security certifications. Organizations can look to offer more sophisticated, continuous training, with a focus on specific skills that tend to be lacking, such as application and cloud security.
5. Not assuming a perpetual skills shortage in future planning and strategy
Since cybersecurity professionals say the no. 1 security challenge they face is their staff being undersized for their organization, businesses must create aggressive programs for recruiting talent from IT teams and the business side to bridge security gaps, the report recommends.