sdecoret - stock.adobe.com
Organizations face myriad cybersecurity challenges today, and a recent study indicates the shortage of skills and the lack of enough training for existing cybersecurity staff has a big influence on a company's overall cybersecurity health.
The global cybersecurity skills shortage has resulted in an increased workload for cybersecurity professionals, leaving them with the inability to fully exploit some security technologies, the study found. Additionally, respondents reported that time was being spent disproportionally on high-priority issues and incident response, leaving limited time for training.
"There is a cumulative impact here: You don't have enough people, the people you have don't have the right skills and the people that you have aren't getting the right training," Jon Oltsik, senior principal analyst at the Enterprise Strategy Group (ESG) and the author of the report, said.
"The cybersecurity skills shortage is an existential threat to national security and it doesn't matter what we do on the technology front and what we do on the process front if we don't have enough people or if we don't take that into account when we make decisions," he said.
The study was conducted by the Information Systems Security Association (ISSA) and analyst firm ESG, and surveyed 343 cybersecurity professionals -- 67% percent of whom concur that it's becoming increasingly difficult for them to try to maintain the appropriate, necessary skill sets.
Respondents identified security analysis and investigations (31%) and application security (31%) as the two areas where their organization has the biggest shortage of cybersecurity skills. Thirty-eight percent of respondents believe that the cybersecurity skills shortage is also driving high rates of employee burnout and attrition.
While 96% of respondents believe that cybersecurity professionals must keep up their skills development, only 38% said their organization is providing them with an appropriate level of training to keep up with business and IT risks. This should be a concern for business, IT and cybersecurity executives, Oltsik said.
For CISOs, it should be a priority to get their cybersecurity staff trained and keep them up to speed, because failure to do so will increase the organization's risk, he added.
How to train your cybersecurity professionals
A huge challenge for cybersecurity professionals is how rapidly technology changes, said Candy Alexander, member of the ISSA International Board of Directors and chief architect of the ISSA Cyber Security Career Lifecycle. Cybersecurity professionals must try to think ahead to learn what the risks are when using these technologies in the business, she added.
The problem is made worse because, for modern companies, cybersecurity investments typically center on technology instead of training cybersecurity professionals, Alexander said.
Instead, companies should be focusing on the skills issue, she added.
Candy Alexanderboard member, ISSA
"We need to reinvest in our people to really get to the solutions in regards to mitigating the risks around our organization," she said. "If you want to keep your cybersecurity staff, you need to invest in them. You need to provide them a little bit of nurturing through training, and that doesn't necessarily mean classroom and in-person training."
One of the challenges is that businesses still use traditional approaches, such as instructor-led training, she said. Information security or cybersecurity professionals will get more benefits from what Alexander called "just-in-time learning."
"In other words, going after very specific training as needed. I can't go and spend a week in the classroom to learn about the latest networking technology. I just need to learn what I need to mitigate a certain risk," she explained.
One of the best resources to learn about information security or cybersecurity professionals' roles is by maintaining contact with associations like ISSA, she said. Having business leaders and technology leaders as mentors is another effective training avenue, she added.
There are numerous career opportunities for cybersecurity professionals, Oltsik said, but they must be proactive in their training and career development.
"They have to be invested in their careers, and invested in maintaining and improving their skills," he said.