Employers must adapt as ‘pervasive and ominous’ cybersecurity skills gap gets worse

Poor or no cybersecurity training, a lack of repeatable security processes, failure to align business and cybersecurity goals, and a short-term view have all exacerbated a cybersecurity skills crisis that is widening, according to a new global study, despite a range of efforts to address it in new ways. As a result, Australian organisations are trying ways to cope better.

Fully 70% of the 343 respondents to the Information Systems Security Association (ISSA)-Enterprise Strategy Group (ESG) study—entitled “The Life and Times of Cyber Security Professionals”—said the ongoing cybersecurity skills shortage is impacting their organisation, with 91% saying that most organisations remain vulnerable to a significant attack or data breach.

Respondents blamed lack of training of non-technical employees (cited by 31%), lack of adequate cybersecurity staff (22%), and the low priority given to cybersecurity by company management (20%) as the key contributors to the ongoing flood of security breaches.

“We are not making progress, cybersecurity professionals can’t scale, and the implications of the skills shortage are becoming more pervasive and ominous,” warned report author and ESG senior principal analyst Jon Oltsik.

ISSA international board of directors member Candy Alexander was equally concerned: “While organisations have been investing in new cybersecurity technology, they are not investing enough in their people,” she said in a statement. “We, as a profession, need to help business understand the cybersecurity skills investment versus risk trade-off.”

Some private-sector organisations are embracing new ways of addressing the issue with programs designed to help accelerate the sourcing and training of technical and nontechnical staff for cybersecurity positions.

Startup WithYouWithMe, for one, has focused on retraining Australian Defence Force veterans for cybersecurity positions and has placed 184 veterans since commencing in December 2016. The company’s Cyber Military Training Program has filled its Cyber Security Pathway with more than 50 additional veterans who, founder Jayson Christian said, “possess analytical skills and provide unique insight to solve complex problems.”

This sort of training—which provides exactly the kind of cybersecurity training to nontechnical people flagged in the ISSA-ESG report—reflects the different thinking that employers need to embrace if they have any hope of filling the cybersecurity skills gap.

“We should be open to those who may not have the depth of experience” in cybersecurity, ISACA CEO Matt Loeb recently told CSO Australia. “A lot of openings for these cybersecurity jobs are staying open for six months because the companies are looking for people with 5 years’ experience and credentials galore. There just aren’t enough of those people out there.”

For its part, CompTIA’s ANZ Channel Community recently began a six-month pilot of a mentoring program, based on Mentorloop software, that joins eager IT workers with private-sector mentors to help guide their transition into the industry.

Other organisations are taking new approaches to raising the baseline cybersecurity capability across Australia and the region. Australian security consultancy Sense of Security, for one, this month partnered with the Department of Foreign Affairs and Trade (DFAT) to launch a Cyber Cooperation Program designed to foster better cybersecurity skills across the Asia-Pacific region.

That program, which is supported through the additional $10 million recently announced for the government’s International Cyber Engagement Strategy, will build regional cybersecurity skills and help protect Australian cyber interests, Sense of Security COO Murray Goldschmidt.

“By sharing our knowledge of the cyber landscape and the potential threats developing countries will face when implementing their cyber strategies, we can better protect them from cyber crime,” he said in a statement. “This will be critical moving forwards, as criminals could exploit potential weak links in Australia’s Indo-Pacific partnerships to gain access to their networks.”

Recent figures from US technology industry association CompTIA delivered positive news for the IT sector, with the organisation’s CompTIA IT Industry Business Confidence Index hitting record highs this quarter on the back of the addition of an estimated 4700 new IT jobs. And Australian recruiter Hays IT pegged cybersecurity engineering positions as one of its “tech jobs predicted to explode”.

Yet growth in IT-related jobs, or even in cybersecurity-specific jobs, won’t always meet demand because there are so many skill sets falling under the same umbrella. Areas such as security analysis and investigation skills, application security skills, and cloud-computing security skills were named by 31%, 31%, and 29% of ISSA-ESG respondents, respectively, as the areas of the biggest shortfalls.

Fixing the cybersecurity skills gap will ultimately require businesses to adjust the way they perceive, measure and invest in cybersecurity training, respondents to the ISSA-ESG report advised. This included adding goals and metrics to IT and business managers, named by 43% of respondents; documenting and formalising all cybersecurity processes (41%); investing in more training and education at all levels from nontechnical employees and IT or cybersecurity teams, up to executive management; providing the right training and mapping these skills into overall career path development; and planning for a perpetual cybersecurity skills shortage.