A shortage of qualified security pros is hampering the ability of companies to protect themselves against attacks that they feel are inevitable in 2015, the results of a study by ISACA (Information Systems Audit and Control Association) and RSA Conference revealed.
The State of Cybersecurity: Implications for 2015 study, which surveyed 649 cybersecurity and IT practitioners worldwide, found that 82 percent expect attacks against their organizations in 2015, but 35 percent can't fill open positions with qualified, capable security talent skilled in handling complex threats as well as understanding a company's business. Furthermore, 77 percent of participants said that attacks increased last year.
Regarding hiring concerns, only 16 percent of respondents said that half of the applicants they get for security positions are qualified. Fifty-three percent noted that it often takes up to six months to fill a job opening.
Noting that the “adversarial growth and innovation” of cyber attacks and attackers, along with growing corporate awareness “has fueled a tsunami of needs both in terms of cyber security programs and resources,” Eddie Schwartz, chair of ISACA's Cybersecurity Task Force, told SCMagazine.com in an email correspondence, “From a human perspective, it takes time to grow a competent workforce, particularly across all required skill levels and within highly specialized disciplines.”
Still, “the number of jobs that went unfulfilled or took 6 months to fill was a surprise,” said Schwartz, who is also president and COO of WhiteOps. “We knew there was a skills gap problem, but the fact that nearly 35 percent of jobs go unfulfilled because there isn't enough qualified talent showed us the breadth of this crisis.”
Attacks are becoming more frequent and deliberate, the study showed. At the top of the list of threat actors in 2014 were cybercriminals, who accounted for 46 percent of attacks, followed by non-malicious insiders, responsible for 41 percent. Hackers were behind 40 percent of the attacks and malicious insiders rounded out the top four at 29 percent.
The pros surveyed fear that the Internet of Things will spawn security concerns—64 percent are very concerned or concerned about IoT. Fewer than half believe their security teams are capable of detecting and responding to complex attacks.
The specter of cybersecurity is on the rise within businesses, the study showed, with 79 percent of respondents saying the board of directors is concerned with it and 20 percent of the professionals surveyed reporting to their CEOs, while 11 percent report to their boards.
Currently, 55 percent have a chief information security officer (CISO) and more than half of the organizations expect to spend more on cybersecurity—56 percent say spending will increase in 2015. Additional evidence emerged that cybersecurity is on the radar of top management since 63 percent of those questioned said that they get appropriate funding from their executive teams.
To fill the gap caused by a shortfall of qualified security practitioners “requires new thinking and coordination across academia, training and certification organizations, and the private and public sector,” said Schwartz.
While he noted that “there is no silver bullet,” he contended that building “a career path for the cyber professional and greater training are the keys.”
Schwartz added, “With the right advanced training and performance-tested skills, there is a great opportunity for professionals to create a highly rewarding career path and add measurable value to organizations.”
To help close the skills gap, ISACA Thursday unveiled seven new Cybersecurity Nexus (CSX) certifications that combine skills-based training with performance-based exams and certifications. Courses will be available starting in the third quarter of 2015.