ESG recently published a new research report titled, The Life and Times of Cybersecurity Professionals, with its research partner, the Information Systems Security Association (ISSA).
The research looks closely at the ramifications of the cybersecurity skills shortage – beyond the obvious conclusion that there are more cybersecurity jobs than people with the right skills and background to fill these jobs.
As part of this research project, ESG and ISSA wanted to understand whether the cybersecurity skills shortage is a contributing factor to the constant wave of security events experienced by large and small organizations.
To that end, 343 cybersecurity professionals (and mostly ISSA members) were asked if their organizations had experienced a security incident over the past 2 years (i.e., system compromise, malware incident, DDoS attack, targeted attack, data breach, etc.). More than half (53%) admitted that their organization had experienced at least one security incident since 2015. It is also noteworthy that 34% responded “don’t know/prefer not to say” so the percentage of organizations experiencing a security incident is likely much higher.
Those survey respondents confessing to a security incident were then asked to identify the factors that contributed to these events. The data reveals that:
- 31% say a lack of training for non-technical employees. This indicates that employees are probably opening rogue attachments, clicking on malicious links, and falling for social engineering scams, leading to system compromises and data breaches. Clearly, firms are not dedicating the people or financial resources necessary to provide ample cybersecurity training and suffering the consequences.
- 22% say that the cybersecurity team is not large enough for the size of their organization. Boom, direct hit. In an earlier blog, I revealed some data about the implications of the cybersecurity skills shortage, like an increasing workload on staffers and a myopic focus on emergency response at the expense of planning and strategy. The data also exposes that the skills shortage leads directly to more security incidents, which lead to business disruption, negative publicity, and data breaches.
- 20% say that business and executive management tend to treat cybersecurity as a low priority. The lack of suitable business oversight on cybersecurity was a consistent theme throughout the ESG/ISSA research. It remains true that business executives are overlooking their fiduciary (and moral) cybersecurity responsibilities. Based upon this data, we can anticipate some massive GDPR fines in the second half of 2018.
- 18% say that the existing cybersecurity team can’t keep up with the workload. Another direct hit – the workload is too big and the staff is too small.
Breach detection, proactive threat hunting, and incident response tend to be people-intensive processes dependent upon advanced skills so it’s logical to assume that the cybersecurity skills shortage would have a profound impact here. The ESG/ISSA research proves that there is a strong correlation here so it’s safe to say that organizations with lots of open cybersecurity requisitions can expect a lot of malicious activity on the network.
Can anything be done? Yes. CISOs should assume that they’ll be short-staffed and therefore address cybersecurity requirements by:
- Proceeding toward advanced prevention. CISOs should go the extra mile to decrease the attack surface by using technologies like micro-segmentation, identity-based access controls (i.e. zero-trust networking), threat intelligence gateways, and secure DNS services.
- Automating processes. Cybersecurity pros should assess current processes and look for ways to automate things like data collection, event lifecycle management, and process workflow.
- Adding intelligent solutions. All organizations should be investigating, evaluating, and deploying security solutions based upon artificial intelligence. While this technology is in its genesis, it can be applied to accelerate threat detection and ease the burden on the SOC team.
- Getting help. CISOs must honestly assess whether they have the staff level and skills to keep up with requirements or not. Those that find themselves lacking should throw in the towel and find managed service and SaaS providers who can bridge this gap.
Note that the ESG/ISSA report is available for free download here. Your comments and feedback are welcome.