Cyber Security Continues to Evolve—And the Skills Gap Remains a Big Challenge

Cyber security teams are continuing to struggle with hiring and retention issues, and they have not achieved significant improvement in these areas over the past year, according to a global study released earlier this year by technology professional association ISACA.

The organization’s 2020 State of Cybersecurity report, based on an online survey of more than 2,000 cyber security professionals worldwide, finds that many enterprises are short-staffed, have difficulty identifying enough qualified talent for open positions, and do not think their human resources (HR) teams adequately understand their hiring needs.

Among the key findings of the report are that nearly two thirds of the professionals (62%) said their organization’s cyber security team is understaffed, and 57% said they currently have unfilled cyber security positions on their team. Help does not seem to be on the way, with 70% saying fewer than half of their cyber security applicants are well qualified.

In addition, a majority of the respondents (72%) think their HR departments do not regularly understand their needs when it comes to finding talent.

Finding people who possess the right skillsets continues to be a challenge for cyber security teams. Survey respondents expressed that having a degree does not necessarily indicate that a candidate is ready for a job, with only 27% saying that recent graduates in cyber security are well-prepared.

The respondents also indicated that candidates are not measuring up in either technical or soft skills. They cited the top five skills gaps as soft skills (32%), IT knowledge (30%), business insight (16%), cyber security technical experience (13%) and sufficient hands-on training (10%).

On the other hand, when asked about the factors they consider when determining if a cyber security candidate is qualified, respondents place emphasis on technical skills, ranking the top three qualifications as hands-on cyber security experience (95%), credentials (89%) and hands-on training (81%).

Once teams have found the right professionals, many then struggle to retain them. Two thirds said it’s difficult to retain cyber security talent. They cite the main reasons for staff leaving as recruitment by other companies (59%), limited promotion and development opportunities (50%), poor financial incentives (50%), high work stress levels (40%), and a lack of management support (39%).

While survey respondents reported slight progress in the effort to increase the number of women in cyber security roles and in establishing diversity programs, most cyber security teams still indicate they have significantly more men than women on their teams, and most report that progress has been minimal.

As part of their efforts to retain women in cyber security roles and increase representation in the field, about half of the respondents said their organizations have diversity programs in place, an increase of five percentage points from the previous year’s survey. And more than two thirds indicated progress toward increasing the number of women on the cyber security team. Respondents indicated that 86% of cyber security teams still have significantly more men than women or consist of all men.

Boosting cyber security teams can’t come soon enough. In a second portion of its research, released in June 2020, ISACA noted that the cyber security landscape is evolving even more so during this time of disruption. Most survey respondents aspect their organization to be hit by a cyber attack soon, with 53% thinking they will experience one in the next 12 months.

The survey found that attacks are also continuing to increase, with 32% of respondents reporting an increase in the number of attacks relative to a year ago. There is a glimmer of hope, however. The rate at which the attacks increase is continuing to decline over time. In last year’s report about 40% of respondents answered in the same way.

The top attack types reported are social engineering, advanced persistent threats, ransomware, and unpatched systems. But respondents noted that they think cyber crime remains underreported. Two thirds of the surveyed professionals think organizations are failing to report cyber crimes, even in situations where they have a legal or contractual obligation to do so.

Among the tools enterprises are using to fighting these attacks are artificial intelligence (AI) and machine learning products. While these options are available to incorporate into security tools, however, only 30% of those surveyed use these tools as a direct part of their operations capability.

The second part of the ISACA research found that understaffed security teams and those struggling to bring on new staff are less confident in their ability to respond to threats. Only 21% of “significantly understaffed” organizations report that they are completely or very confident in their organization’s ability to respond to threats. By comparison, 50% of those who indicated their organization was “appropriately staffed” are completely or very confident in their organization’s abilities.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Bob Violino. Read the original post at:

Secure Coding Practices