The research paper comes from eSentire and it is titled “The Self-Fulfilling Prophecy of the Cybersecurity Skills Shortage“. In June 2019, eSentire commissioned 451 Research to conduct a macrosecurity survey. Then in July, eSentire surveyed 300 North America IT security professional and reputable independent research and industry sources including the U.S. Bureau of Labor Statistics and ISACA.
To understand the main findings, Digital Journal spoke with Chris Braden, VP global channels & alliances at eSentire.
Digital Journal: How prevalent are cyberattacks at the moment?
Chris Braden: Cyberattacks are very prevalent at the moment, and the trend is showing no signs of slowing down any time soon. We found that the cumulative probability of an exploit incident increased steadily over time across all industries. Technology topped out with a 31% chance an incident at the end of a 12-month period, with the global average at 26%. These trends reflect single site locations. Unsurprisingly, the more locations in an environment, the more the risk of exploitation compounds. For clients between five and 10 locations, the risk of exploitation ranges from 79 to 96 %.
DJ: Where are most cyberattacks coming from?
Braden: The reality is that where cyberattacks are coming from varies greatly. In terms of physical location, threats are coming from all over the globe. While certain countries seem to be associated with cybercrime more often than others, the origin of cyberattacks is not limited to a small group or list of countries. As well, cyber criminals have sophisticated means of obscuring their true location, making it difficult to trace an attack source to a specific location.
In terms of the types of threat actors, we see a large and diverse population of attackers, from nation-states to terrorist organizations to individual criminals. We see professional criminals and we see motivated insiders or former employees, which means that the threat isn’t just geographically diverse, it’s also highly diverse in terms of who the threat actors are themselves and therefore their motivation or incentive for committing cyberattacks can also be highly varied.
DJ: Do businesses have the right people with the right cyber-skills to combat these attacks?
Braden:Of the respondents to a 451 Research study commissioned by eSentire, 87% feel their cybersecurity staffing levels are adequate, while 78% also feel they feel they have a skills/expertise gap. This indicates that they have the people, but they do not think these people possess the expertise they need. As we also discuss in the paper, there is and has been a chronic shortage of employees with the right skills. With such a shortage of available skills in the market, it’s logical to conclude that many companies do not have the skilled resources they need to effectively execute their security strategy.
DJ: Do businesses actually know what they need?
Braden:We see more and more businesses developing better and more disciplined security strategies to protect their assets. Those who do have a well-thought out security strategy that is aligned with the business’ goals, have a good handle on the skills and resources they need. However, not every business has an effective security strategy and that can make it very challenging for them to then know what they need. We see in our report that organizations believe there are not enough qualified professionals to fill the open positions, yet 58 percent are trying to do just that in order to meet their cybersecurity needs.
Two-thirds believe they could address the problem by retraining existing staff to meet the skill levels they desire, yet only half of organizations say they are doing that. Organizations are essentially creating a self-fulfilling prophecy based on the widely reported skills gap. They believe they cannot get the skilled talent they need, but they are not taking the action to change the circumstances. They continue trying to fill open positions while neglecting to retrain existing talent, thus perpetuating the skills gap.
DJ: What are the in-demand cyber-skills right now?
Braden:The most in-demand cyber-skills right now, based on the volume of job postings tends to be security analysts. If we look at demand as represented by compensation and recruiting, then it would be the higher levels of the security organization chart, Chief Information Security Officer, etc.
DJ: How can businesses best retain cyber professionals?
Braden:To keep qualified cybersecurity professionals from job hopping away from an organization in their quest for job satisfaction, organizations need to focus on three things:
First, train: Set up continuing education programs for current employees to increase their security knowledge and to obtain new certifications that benefit the organization while increasing job satisfaction. Second, retain: Ensure your employees are in positions that match their skill sets, with challenging assignments and attractive compensation so they do not see a need to look elsewhere. It is also important that companies think through career progression opportunities. Many security employees that leave often go to an opportunity that represents promotion and career progression.
Third, gain: Work with recruiters to make sure they understand the nuances of the position and the specific skill sets required. Make the hiring process more efficient and less painful.
