freshidea - Fotolia

Enterprise CISOs face cybersecurity skills shortage

Recent studies show that as cyber threats evolve, CISOs will face a cybersecurity talent shortage and an increasingly integral role in company processes.

A lack of cybersecurity talent is leaving the enterprise vulnerable: According to a survey conducted by Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA), 69% of the respondents asserted that their organization has been impacted by the global cybersecurity skills shortage.

Respondents said that the cybersecurity skills shortage has increased their workload, forced them to hire and train junior employees, and prevented them from learning about or using security technologies.

Over 437 information security professionals were surveyed worldwide and the study was released in two parts -- The State of Cyber Security Professional Careers (Part 1) and Through the Eyes of Cyber Security Professionals (Part 2) -- late in 2016. The purpose of the study was to understand the implications of the cybersecurity talent shortage, ESG analyst and author of the study Jon Oltsik said.

Jon Oltsik

"What we learned is that it's not only that we don't have enough people, it's that the people that we have are way overworked and way underprepared," Oltsik said. "I think in 2017 we will see more of the same, which is you won't be able to hire enough cybersecurity professionals to have the appropriate amount of personnel, and the people that you do hire are overworked and don't have time to develop their skills."

The majority of respondents said their organizations have experienced at least one type of security incident, and over 40% believed that their organization is vulnerable to one. Respondents cited cybersecurity teams not being large enough, a lack of cybersecurity training for non-technical employees, and management treating cybersecurity as a low priority as some of the factors responsible.

"The best way that organizations can address the cybersecurity skills shortage is to invest in the employees and provide them with training opportunities," said Candy Alexander, cyber security consultant and ISSA's chair of the cyber security career lifecycle. "It's not necessarily classroom material either; it could be something as simple as watching online videos, taking online classes or doing job shadowing."

The role of today's CISO

The study also confirms the suspicion that businesses don't fully understand the role of information security, Alexander added.

Candy Alexander

Information security professionals should put in a greater effort to educate businesses about their role and how they add value to the organization, she added.

This will ensure that businesses are being educated on the risks they face, Alexander said. But CISOs need to convey those risks to the business in terms that the business can understand, she added.

"But a lot of us from the technology field don't understand how to have that business conversation," she said.

This requires that CISOs become more of a business executive and less of a technologist, Oltsik explained.

"Everything indicates that the CISO is the busiest executive and I think CISOs will be exposed more to the board and executives," Oltsik said.

In the past couple of years, CISOs are picking up soft skills, while also becoming more familiar with business languages and methodologies, Alexander said.

"We are learning that the business language is now more important to them ... to use those skills to convey to the business, in business terms, what their jobs are and the risks associated with the organization."

CISOs should also find use cases for Managed security services and explore security automation options to remediate the pressure on cybersecurity professionals and address the cybersecurity skills shortage, Oltsik suggested.

But it is important to establish a true culture of security, and this needs to come from the top-down, Oltsik said. Instilling a culture of cybersecurity will also entail proper training for all employees and not just IT and security staff, he added.

"Security needs to be considered in business processes and application development ... security has to be included in every decision you make," he said. "You have to make security a priority for your business."

Next Steps

Learn why there's a cybersecurity skills shortage

Read about the emerging role of a "threat hunter" to bolster security.

Read how the Department of Homeland Security is hiring cybersecurity talent.

Dig Deeper on Risk management and compliance