Poor or no cybersecurity training, a lack of repeatable security processes, failure to align business and cybersecurity goals and a short-term view have all exacerbated a cybersecurity skills crisis that is widening, according to a new global study, despite a range of efforts to address it in new ways.
Fully 70 percent of the 343 respondents to the Information Systems Security Association (ISSA)-Enterprise Strategy Group (ESG) study – entitled ‘The Life and Times of Cyber Security Professionals’ – said the ongoing cybersecurity skills shortage is impacting their organisation, with 91 percent saying that most organisations remain vulnerable to a significant attack or data breach.
Respondents blamed lack of training of non-technical employees (cited by 31 percent), lack of adequate cybersecurity staff (22 percent), and the low priority given to cybersecurity by company management (20 percent) as the key contributors to the ongoing flood of security breaches.
“We are not making progress, cyber security professionals can’t scale, and the implications of the skills shortage are becoming more pervasive and ominous,” warned report author and ESG senior principal analyst Jon Oltsik.
ISSA international board of directors member Candy Alexander was equally concerned: “While organisations have been investing in new cyber security technology, they are not investing enough in their people,” she said in a statement. “We, as a profession, need to help business understand the cyber security skills investment vs risk tradeoff.”
Some private-sector organisations are embracing new ways of addressing the issue with programs designed to help accelerate the sourcing and training of technical and non-technical staff for cybersecurity positions.
Startup WithYouWithMe, for one, has focused on retraining Australian Defence Force veterans for cybersecurity positions and has placed 184 veterans since commencing in December last year. The company’s Cyber Military Training Program has filled its Cyber Security Pathway with more than 50 additional veterans who, founder Jayson Christian says, “possess analytical skills and provide unique insight to solve complex problems.”
This sort of training – which provides exactly the kind of cybersecurity training to non-technical people flagged in the ISSA-ESG report – reflects the different thinking that employers need to embrace if they have any hope of filling the cybersecurity skills gap.
“We should be open to those who may not have the depth of experience” in cybersecurity, ISACA CEO Matt Loeb recently told CSO Australia. “A lot of openings for these cybersecurity jobs are staying open for six months because the companies are looking for people with 5 years’ experience and credentials galore. There just aren’t enough of those people out there.”
For its part, CompTIA’s ANZ Channel Community recently began a six-month pilot of a mentoring program, based on Mentorloop software, that joins eager IT workers with private-sector mentors to help guide their transition into the industry.
Other organisations are taking new approaches to raising the baseline cybersecurity capability across Australia and the region. Australian security consultancy Sense of Security, for one, this month partnered with the Department of Foreign Affairs and Trade (DFAT) to launch a Cyber Cooperation Program designed to foster better cybersecurity skills across the Asia-Pacific region.
That program, which is supported through the additional $10m recently announced for the government’s International Cyber Engagement Strategy, will build regional cybersecurity skills and help protect Australian cyber interests, Sense of Security chief operating officer Murray Goldschmidt.
“By sharing our knowledge of the cyber landscape and the potential threats developing countries will face when implementing their cyber strategies, we can better protect them from cyber crime,” he said in a statement. “This will be critical moving forwards, as criminals could exploit potential weak links in Australia’s Indo-Pacific partnerships to gain access to their networks.”
Recent figures from US technology industry association CompTIA delivered positive news for the IT sector, with the organisation’s CompTIA IT Industry Business Confidence Index hitting record highs this quarter on the back of the addition of an estimated 4700 new IT jobs. And Australian recruiter Hays IT pegged cyber security engineering positions as one of its “tech jobs predicted to explode”.
Yet growth in IT-related jobs, or even in cybersecurity-specific jobs, won’t always meet demand because there are so many skill sets falling under the same umbrella. Areas such as security analysis and investigation skills, application security skills, and cloud-computing security skills were named by 31 percent, 31 percent, and 29 percent of ISSA-ESG respondents, respectively, as the areas of the biggest shortfalls.
Fixing the cybersecurity skills gap will ultimately require businesses to adjust the way they perceive, measure and invest in cybersecurity training, respondents to the ISSA-ESG report advised. This included adding goals and metrics to IT and business managers, named by 43 percent of respondents; documenting and formalising all cybersecurity processes (41 percent); investing in more training and education at all levels from non-technical employees and IT or cybersecurity teams, up to executive management; providing the right training and mapping these skills into overall career path development; and planning for a perpetual cybersecurity skills shortage.
“It is clear that the solution must be about more than filling jobs,” said Oltsik. “It is about creating an environment from the top down of cyber security as a priority.