ESG Videos

Announcer: The following is an ESG Video Blog.

Jon: Over the last few years the global cyber security skills shortage has become an increasingly important issue. ESG research indicates that 46% of organizations claim to have a problematic shortage of cyber security skills in 2016, up from 28% in 2015. Given this alarming trend, it's natural to wonder just how well cyber security professionals are holding up. Are they able to coordinate on strategies and tactics with their business and IT peers? Do they have the skills necessary for their job? Have cyber adversaries developed new exploits?

Are they overwhelmed and burnt-out? To answer questions like these the Enterprise Strategy Group and the Information Systems Security Association, or ISSA, teamed up, and initiated a primary research project in 2016 by surveying 437 information security professionals and ISSA members. The first report, "The State of Cyber Security Professional Careers," was published in October of this year, and focused on the life-cycle and development of cyber security professional careers. ESG and ISSA are pleased to announce the publication of a second research report, titled "Through the Eyes of Cyber Security Professionals."

This second report centers on three distinct topics: number one, cyber-attacks and vulnerabilities, number two, the ramifications of the cyber security skills shortage, and number three, what cyber security professionals think of government cyber security strategies, programs, and policies. Regarding cyber-attacks and vulnerabilities, the research reveals that 54% admit that their organization has suffered some type of security event over the past year, with 27% of organizations experiencing at least one ransomware incident. It's worth noting too that 22% to 30% of cyber security professionals didn't know, or wouldn't say, if their organization had experienced a security event this year, so the numbers could be much higher.

Cyber security professionals were also asked if they thought most organizations were vulnerable to significant cyber-attacks, or data breach, that could lead to business disruption or data theft. Alarmingly, 92% said that an average organization was significantly vulnerable, or somewhat vulnerable, to this type of incident. Of course, one of the main reasons behind the success of cyber-attacks is the cyber security skills shortage itself, since many organizations remain understaffed, and lack the right skill-set to keep up with cyber threats. In fact, 69% said that the cyber security skills shortage has had a direct impact on their organization.

What type of impact? 54% say that the cyber security skills shortage has led to an increasing workload on existing staff. 35% claim that it has led to an inability to fully learn, or utilize, the security technologies that they use to their full potential, and 32% say that the cyber security skills shortage has caused higher attrition within the cyber security staff. Cyber security professionals were also asked to identify areas of acute skills shortages at their organization, one-third pointed to shortages with security analysis and investigation skills, 32% said they had shortages with application security skills, and 22% said their organization had a shortage of cloud security skills.

Finally, survey respondents were asked a series of questions about government cyber security policies. 63% believe that current government cyber security strategies remain unclear, and incomplete. In fact, 57% said that the government should be significantly more active, while another 32% felt that government should be somewhat more active with cyber security strategies and defenses. Based on the data presented in the second research report, ESG and ISSA offer a number of recommendations.

Cyber security professionals should take the cyber security skills shortage into account as part of every initiative and decision by emphasizing ease of use for all security technology purchases, initiating and pushing projects for security automation and orchestration that use technology to alleviate tedious manual processes, and finding use cases for more use of managed security services. Number two, cyber security professionals should push for more all-inclusive cyber security training. The two reports paint a bleak picture of understaffed cyber security teams that also don't get the right level of training. CISOs should take this data to heart, and use it to lobby executives, and HR staff, to increase training budgets and commitments.

And finally, cyber security professionals should get more involved with public policy. Legislators need our help to better understand cyber security issues and requirements, so cyber security professionals should consider getting involved, and volunteering to help guide government cyber security strategy. Both research reports are available for free download from the ESG and ISSA websites. Since our goal is continuous improvement, we welcome all comments, suggestions, and feedback.