5 persistent challenges security pros face

The fourth annual Life and Times of Cybersecurity Professionals report from ESG and the Information Systems Security Association (ISSA) is out and available for free download here.  The report is chock full of great data. Here are some highlights that point to lingering challenges that dedicated cybersecurity professionals face:

• The cybersecurity skills shortage is getting worse. I focused on this in my last blog post.  Seventy percent of organizations say they have been impacted by the cybersecurity skills shortage and 45% of survey respondents say that things have gotten worse over the past few years.  Furthermore, 58% of cybersecurity professionals say their organization should be doing somewhat or significantly more to address the cybersecurity skills shortage.  What can be done?  Better hiring practices, more realistic job requirements, improved training — lots of stuff.
• Cybersecurity awareness training remains inadequate. Despite the business impact of cybersecurity AND the skills shortage, most survey respondents don’t believe their organization provides the right level of cybersecurity training. Thirty-six percent of respondents reported that they thought that their organizations should provide a bit more cybersecurity training, while 29% believe their organizations should provide significantly more training. Cybersecurity professionals should make sure that business managers are aware of this problem and understand the ramifications. Without better and more frequent training, all the cybersecurity technology in the world won’t really matter. 
• Attackers maintain an advantage over defenders. ISSA members were asked to compare the status of cyber-adversaries with that of cyber-defenders. The results are alarming. Sixty-seven percent of respondents to this year’s survey believe that cyber-adversaries have a big advantage over cyber-defenders, up from 59% of survey respondents from the prior year. We need to appreciate this situation and address it with the right resources, training, and battlefield tactics. 
• It takes years to become a proficient cybersecurity professional. In a new question for 2020, ESG/ISSA asked survey respondents to speculate on how long it takes a cybersecurity professional to become proficient at their job. The highest percentage of respondents (39%) believe it takes anywhere from 3 to 5 years to develop real cybersecurity proficiency, while 22% say 2 to 3 years and 18% claim it takes more than 5 years. Clearly, it takes significant time to understand the use of technology, factor in security models and principles, and then apply this knowledge toward supporting business goals. We need to have more discussions across the cybersecurity diaspora to figure out how to decrease the time-to-proficiency. 
• Cybersecurity careers can lead to personal issues. The pace and stress of a cybersecurity job can lead to personal consequences—29% of respondents say that they’ve either experienced significant personal issues as a result of cybersecurity job stress or they know someone else who has. This percentage may be even higher, as 17% either don’t know or prefer not to say. Since job stress has only increased due to COVID-19/WFH, CISOs should closely monitor this situation.

Attention cybersecurity professionals:  We strive for continuous improvement, so please read the report and give me your feedback on what else you’d like us to cover.

More from the report soon.