Security budgets up, but talent scarce, says Isaca
Security budgets are increasing, but qualified cyber talent remains difficult to find with positions taking at least three months to fill, an industry association report on the state of cyber security reveals
The worldwide cyber security skills gap continues to present a significant challenge, with 59% of information security professionals reporting unfilled security positions in their organisation, according to Isaca’s State of cybersecurity 2018 report.
The report also shows that the high likelihood of cyber attack continues, with 81% security professionals surveyed indicating that their enterprise is likely or very likely to experience a cyber attack this year.
Meanwhil,e 50% said their organisation has already experienced an increase in attacks in the past year, and nearly a third said their board has not adequately prioritised enterprise security.
The need for greater diversity in information security was a central theme at the 2018 CyberUK conference in Manchester, and the Isaca report highlights the gender disparity in the sector.
Men in the sector tend to think women have equal career advancement in security, while women said that is not the case. A 31-point perception gap exists between male and female respondents, with 82% of male respondents believing men and women are offered the same opportunities for career advancement in cyber security, compared with just 51% of female respondents.
Out of those surveyed, around half (51%) of respondents report having diversity programs in place to support women cyber security professionals.
Individual contributors with strong technical skills continue to be in high demand and short supply. More than 7 in 10 respondents said their organisations are seeking this kind of candidate.
Yet, there are several positive and promising insights in the Isaca data, such as the fact that the time to fill open cyber security positions has decreased slightly. This year, 54% of respondents say filling open positions takes at least three months, compared with last year’s 62%.
Read more about the cyber security skills shortage
- Demand for cyber security skills outstrips internal supply, research finds.
- Cyber security skills a priority for UK government.
- An anti-millennial recruitment stance will widen cyber security skills gap, experts warn.
- Companies struggling to fill infosec roles should focus on finding people who can do what they need, not qualifications, according to a security industry panel.
The data also shows that gender disparity can be mitigated through effective diversity programs. In organisations with a diversity program, men and women are much more likely to agree that men and women have the same career advancement opportunities. Some 87% of men said they have the same opportunities, compared with 77% of women.
Another positive finding is that security managers are seeing a slight improvement in the number of qualified candidates. Last year, 37% said fewer than 25% of candidates for security positions were sufficiently qualified. This year, that number dropped to 30%.
Budgets are also increasing, with 64% of respondents indicating that security budgets will increase this year, compared with 50% last year.
“This research suggests that the persistent cyber security staffing problem is not a financial one. Even though enterprises have more budget than ever to hire, the available workforce lacks the skills organisations critically need,” said Isaca CEO Matt Loeb.
“More of those dollars will need to be invested in technical cyber security training, along with effective retention programs. Practitioners who acquire and demonstrate hands-on technical cyber security skills will find themselves in significant demand,” he said.
Isaca recommendations to help enterprises address the skills gap and bolster security programs include:
- Develop a strong diversity program to improve recruitment, advancement and retention of qualified individuals.
- Invest in the talent you have to develop the skills you need. The skills organisations need are in short supply, so organisations will need to close the gap through training and retention programs.
- Implement objective, consistent and actionable reporting to the board about security concerns. If the enterprises measure and track risk systemically and holistically, board prioritisation of security is likely to improve.