New research indicates that CISOs need to work in close coordination with other C-suite members
Cyber-security skills shortage is putting businesses at risk in a variety of ways, according to a new study, which suggests that most organizations are struggling to address the cyber-security skills shortage, and consequently the effects of the shortage are worsening. The study further focuses on the Chief Information Security Officers (CISOs) suggesting ways they can step in to solve the looming cyber-security crisis.
In its third year, the study conducted by the Information Systems Security Association (ISSA) and analyst firm, Enterprise Strategy Group (ESG) surveyed 267 cyber-security professionals worldwide, including India. The cyber-security skills shortage is now affecting 74% of organizations, according to the report, yet 63% of organizations are falling behind when it comes to providing adequate levels of training to their cyber-security staff, it says.
The report further confirms that the cyber-security skills shortage continues to be the root cause of rising security incidents, as organizations remain plagued by a lack of end-user cyber-security awareness and the inability to keep up with the growing cyber-security workload. Almost half (48%) of respondents have experienced at least one security incident over the past two years with serious ramifications including lost productivity, significant resources for remediation, disruption of business processes and systems, and breaches of confidential data.
CISOs, for example, are downright skeptical about their chances for success. 91% believe that most organizations are vulnerable to a significant cyber-attack. And an overwhelming 94% believe that the balance of power is with cyber-adversaries over cyber-defenders. No wonder then that organizations are facing increasing and potentially devastating cyber-risks.
Areas of acute skills shortages
The most acute skills shortages shifted this year to cloud security (33%), followed by application security (32%) and security analysis and investigations (30%), according to the study.
“In an era where business leaders are more reliant on technology for success and are facing more scrutiny and accountability than ever before, this lack of progress and the resulting cyber-risk for organizations and their shareholders, customers and business partners should be a cause for concern for business and technology leaders alike,” the report says.
The research also indicates an alarming personal impact related to cyber-security jobs. While CISOs remain dedicated to their craft, attracted by the deep technical challenges and moral implications, the study explores the causes and consequences of stress and burnout.
- Stressful aspects of the job: 40% responded with keeping up with security needs of new IT initiatives, followed closely by “shadow” IT initiatives, trying to get end-users to better understand cyber-risks and change their behavior, and trying to get the business to better understand cyber risks.
- Added stress of new data privacy responsibilities: Even though regulations, such as GDPR is in full swing, cyber-security teams may not be up to the task. 84% claim that the cyber-security team at their organization has taken a more active role with data privacy over the past 12 months, but 21% don’t believe the cyber-security team has been given clear directions and 23% state that the cyber-security team has not been given the right level of training.
- Job-related pressures driving virtual CISO (vCISO) as attractive career option: One out of 10 organizations now hires a vCISO. At present, 29% of CISOs interviewed in the survey are working as a vCISO while 33% would consider it in the future. Almost half claim that working as a vCISO brings more variety and flexibility to a CISO position. Also, CISOs are clearly seeking to avoid some of the politics and stress while taking more control of their careers.
“Based upon the results of this report, one can conclude that cyber-security progress has been marginal at best over the last three years. As Jon Oltsik, Senior Principal Analyst and Fellow at the Enterprise Strategy Group (ESG) and the author of the report, notes, “We may be making some cyber-security improvements but we are getting worse faster. This issue should be of concern to technologists, business executives and private citizens and continues to cause an existential threat to national security.”
Candy Alexander, CISSP CISM, Executive Cyber-security Consultant and ISSA International President, adds that the problem today is that organizations are looking at the cyber-security skills crisis in the wrong way; it is a business, not a technical, issue.
“Business executives need to acknowledge that they have a key role to play in addressing this problem by investing in their people. Also, business leaders need to get involved by building a culture of support for security and value the function,” comments Alexander.
Lessons for the CISOs/security experts
Ø CISOs need to be more active with business executives. They should seek a seat at the board table and work in close coordination with other C-suite members. For example, he/she should work in close coordination with HRO to come up with training program and coordinate with CIO to cast a wider net beyond IT and find transferable business skills and cross career transitions will help expand the pool of talent.
Ø Enhancing soft skills could be a turning point to a CISOs career. CISO’s success depends upon characteristics like communication skills, leadership skills, a strong relationship with business executives, and a strong relationship with the CIO and IT leadership team.
Ø For CISOs and security teams to stay afloat they must constantly nurture their skill sets/domain knowledge. Security certifications such as CISSP are becoming essential.
Ø Experts also suggest security professionals to prioritize practical skills development over certifications. Attending specific cyber-security training courses, participating in professional organizations and events, attending trade shows, and participating in on-the-job mentoring programs can make a difference in the way CISO and his team deals with cyber-security.