The cybersecurity skills gap is a global problem that must be addressed if we hope to stay ahead of today’s motivated cyber criminals. A new report from ISACA that takes a deep look at the oft-reported security skills shortage reveals over half (53%) of the organizations it has polled continues to experience ongoing challenges of having unfilled cybersecurity positions in their organizations despite of rising demand in cybersecurity roles.
The global report from ISACA in partnership with HCL Technologies entitled: State of Cybersecurity 2021 Part 1 survey report, in its India findings found that longstanding issues persist, including nearly 50% saying they have unfilled positions in the domain of cybersecurity, with 46% of respondents indicating that their cybersecurity teams are understaffed and another 53% saying their cybersecurity applicants are not well qualified.
Cybersecurity teams continues to be understaffed
The pandemic has put the spotlight on organizations’ data protection and privacy. To this end, 42% of the respondents felt they were appropriately funded for security function while more than half the respondents said that spending on security technology initiatives has increased during the pandemic.
The ISACA study corroborates the on-ground reality in India, estimating that the shortage of cybersecurity workforce in India is 9% higher than the global average.
According to an estimate by the Data Security Council of India the country needs about 1 million cybersecurity professionals. The survey also indicates that 60% of organizations surveyed are fully staffed in-house to only “respond” to security threats and breaches, while nearly an equal number, 59%, are equipped to proactively “protect” cyberattacks.
Among a host of factors plaguing the industry, poor financial incentives stood out as the most visible reason that cybersecurity professionals are leaving their jobs, at 45%, followed by limited promotion and development opportunities at 44%.
While half of the respondents said they had unfilled positions in their organization, they also indicated that it takes anywhere between 3-6 months to fill an open position. At the same time, only 41% of the respondents felt that the HR department understands their organization’s cybersecurity hiring needs to properly pre-screen candidates.
On skill gaps, 44% of the respondents said that security controls is the biggest skill gap they see in today’s cybersecurity professionals. Fortunately, more than half the respondents said they are training non-security workers who are interested in taking up security roles.
Closing the cybersecurity skills gap
With about half of organizations either decreasing their training budgets or keeping them the same this past year, it’s not surprising that industry professionals struggle to find opportunities to improve their skills for their work. Nonetheless, experts believe, cybersecurity training and awareness among employees should be a key part of every organization’s business strategy, especially at a time the world is just recovering from the pandemic.
“The industry is overdue for a wake-up call to address the IT and security skills gap and talent shortage, especially with remote/hybrid work becoming the norm,” said Ron Gula, founder of Gula Tech Adventures. “This vision for attracting and retaining talent can only be fulfilled if organizations continuously invest in their employee’s career and skills development. By assessing existing IT and security training programs, organizations can empower their employees to scale their current skills and ultimately, their careers,” he said.
While there has also been greater industry collaboration and more acquisitions in the cyber security space, there’s a lot more organization can do on an ongoing basis to mitigate the cyber security skills gap. An interest from top management – and not just the IT team – to share data and training resources whenever possible can be a simple yet effective way to make individuals aware of the importance of cyber security.
Of the organizations that are tackling the problem, they are addressing it through the following means:
- Training non-security staff who are interested in moving to security roles (52%)
- Increasing use of reskilling programs (46%)
- Increasing use of performance-based training to attest to actual skill mastery (37%)
- Increasing usage of contract employees or outside consultants (35%)
- Increasing reliance on AI/automation (31%)
R.V. Raghu, Member of ISACA’s Emerging Trends Working Group. believes that for training and development of professionals to address the skill gaps in cybersecurity, the government, academia and industry will have to collaborate with each other. It is not only important to better prepare fresh graduates, but also bring a wider pool from all streams and equip them with the skills needed to succeed in cybersecurity career.
Rajesh Maurya, Regional Vice President, India & SAARC at Fortinet however believes that the cybersecurity skills gap is about much more than organizations having difficulty filling open positions; it’s an existential threat to the ongoing viability of those organizations, especially with the transition to a remote workforce model, believes.
He sees employee motivation having a significant impact on cybersecurity, as insider threats are often associated with careless or negligent users who make mistakes either because they are trying to save time or because they are not paying attention.
“Organizations can mitigate this risk by offering internal mentorships that are designed to keep employees engaged, helping to improve productivity and keep employees aware of their impact,” he said
In the current scenario, the importance of virtual training opportunities – centering on cybersecurity awareness and accountability – is expected to play a critical role in helping employees understand the importance of cyber hygiene.