As many as three-quarters of organisations are struggling with an acute shortage of cyber security personnel and this has put cyber security professionals under immense pressure as they have to keep up with security needs of new IT initiatives while struggling with meager budgets.
A global survey of cyber security professionals conducted by the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) has found that while IT security teams at organisations are struggling with low headcount and increasing responsibilities, lack of adequate resources and lack of training are further impacting their effectiveness against cyber threats.
Role of cyber security professionals has increased following the arrival of GDPR
While 91 percent of cyber security professionals are sure of the fact that their organisations are vulnerable to significant cyber attacks, 94 percent believe that cyber criminals now have the upper hand in the cyber war as organisations are now universally reliant on technology and there aren't sufficient resources or manpower to fight the threat effectively.
Today's CISOs and cyber security professionals have to shoulder a large number of responsibilities that include keeping up with security needs of new IT initiatives and shadow IT initiatives, educating employees about cyber risks, getting them to change their behaviour to reduce risks, and trying to get the business to better understand cyber risks.
The roles and responsibilities of cyber security professionals have further increased following the arrival of GDPR, with 84 percent of them stating that they have been playing more active roles to ensure data privacy at their organisations since May last year.
However, lack of support from business leaders, a lack of manpower, lack of funds, and lack of skills training is making things difficult for cyber security professionals, so much so that almost a third of them (29 percent) are now working as virtual CISOs (vCISOs) and a further 21 percent are actively considering vCISO as an attractive career option.
While this entails that half of all CISOs globally will work remotely in the coming days, a further 33 percent of them are positive about considering vCISO as a career option in future, indicating that organisations will have a hard time finding skilled professionals to work as in-house CISOs.
So what exactly is driving away CISOs from organisations?
While there are many factors that are making the role of a cyber security professional highly stressful, a major factor is lack of training imparted by organisations. 23 percent of cyber security professionals bemoan the fact that their teams have not been given the right level of training and 66 percent said that cyber security job demands often preclude them from skills development.
The global study found that 63 percent of organisations are not providing adequate levels of training to their cyber security teams in order to make them capable of handling emerging threats. While there is a skill shortage of 33 percent in cloud security, there is a shortage of 32 percent in application security, and a 30 percent skill shortage in security analysis & investigations.
"Organisations are looking at the cybersecurity skills crisis in the wrong way: it is a business, not a technical, issue. Business executives need to acknowledge that they have a key role to play in addressing this problem by investing in their people," said Candy Alexander, CISSP CISM, Executive Cybersecurity Consultant and ISSA International President.
"In an environment of a ‘sellers market’ with 77 percent of cyber security professionals solicited at least once per month, the research shows in order to retain and grow cybersecurity professionals at all levels, business leaders need to get involved by building a culture of support for security and value the function," Alexander added.
The study also found that 41 percent of organisations are recruiting and training junior personnel rather than hiring more experienced cyber security professionals. Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG) recommend that if organisations design their own training programmes, they will be able to develop future talent and gain loyalty. Casting a wider net beyond IT and finding transferable business skills and cross career transitions will help expand the pool of talent as well.
ALSO READ: Critical lack of in-house talent affecting NHS trusts' cyber resilience