There's no doubt that there is a skills shortage in the IT industry, particularly in the field of security. Organisations are keen to augment their IT security capabilities but are struggling to hire the right people for the job. A recent survey revealed the level of difficulty companies are facing when trying to net security professionals.
Abstract fingerprint image from Shutterstock
ISACA and RSA Conference jointly conducted a global survey of 461 cybersecurity managers and practitioners to gauge the state of the industry. The findings in the State Of Cybersecurity 2015 report showed that while organisations are placing greater emphasis on keeping their digital assets safe, security managers are still being left out of top executive leadership teams. Only one in seven chief information security officers reported directly to the CEO. The rest generally report to the CIO.
Why does this matter? It shows that security is still viewed as a technical rather than a business concern. As discouraging as this may be, there are signs that the tides are turning as business executives commit to boosting cybersecurity budgets. Sixty-one percent of respondents said their organisation is looking to increase pay for skilled workers, skills development, awareness training and response planning to support IT security. In addition to increasing spending, 75 percent of respondents reported that their organisations’ cybersecurity strategy now aligns to enterprise objectives.
The biggest challenge for organisations now is finding the right people to protect their businesses from cyberattacks. Unfortunately, well-trained and highly skilled security professionals are hard to come by. In the ISACA and RSA survey, 53 per cent of respondents said their companies need at least three months to fill open cybersecurity position. Twenty six per cent require around six months and nine per cent fail to find anybody at all.
But even those company that eventually fill their security vacancies, not all of them are happy with their decisions. Around 60 per cent of the survey's respondents said they were inundated with applicants who didn't have the adequate qualifications. Lack of hands-on skills and lack of certification were cited as reasons companies rejected security job applicants. Then there were problems relating to security professionals' inability to understand the business and shortcomings in technical and communication skills.
"Not having skilled employees certainly impacts an enterprise's ability to identify, contain and mitigate complex security incidents, which results in increased cost to the enterprise," the report noted.
The cybersecurity skills gap poses its own threat to keeping an enterprise safe. The survey saw a 12 per cent year-on-year drop of security professionals who are confident in their team's ability to detect and respond to incidents, down to 75 percent in 2015. Among those 75 percent, 6 in 10 do not believe their staff can handle anything beyond simple cybersecurity incidents.
"The lack of confidence in current cybersecurity skill levels shows that conventional approaches to training are lacking," ISACA chief knowledge officer Ron Hale said. "Hands-on, skills-based training is critical to closing the cybersecurity skills gap and effectively developing a strong cyber workforce."