A survey of 3,300 IT professionals conducted by (ISC)² has revealed that widespread underfunding in training in-house IT talent is contributing towards the critical cyber security skills gap. The report shows that businesses are exposing themselves to cyber threats by ignoring and neglecting IT professionals, with 65% of IT workers reporting that their security advice isn’t followed.
Almost half of IT workers say their firms don’t invest sufficiently in ensuring that their IT staff are security-trained, despite a shortage of cyber security workers across 63% of businesses. This indicates that the cyber skills deficit is rooted in businesses failing to listen to advice from IT staff and upskill in-house talent.
The report suggests that this is a leadership issue, with 49% of respondents accusing business leaders of a failure to understand cyber security requirements. According to the report, the end result is that the majority of companies are even less able to cope with a cyber attack than they were last year.
In February this year, (ISC)2 suggested that the cyber security skills gap will grow to 1.8 million by 2022 if current hiring and training trends continue.
The latest research is based on responses from more than 3,300 IT professionals from around the world who participated in the 2017 Global Information Security Workforce Study. The report can be downloaded here.
Key findings from the study
Key findings from surveyed IT professionals include the following:
*43% said their organisation doesn’t provide adequate resources for security training
*only 35% agreed that their security suggestions are acted upon
*55% said their organisation doesn’t require IT staff to earn a security certification
*63% said their organisation has too few security-focused workers
*51% of organisations are less prepared for a cyber attack than they were 12 months ago
*49% blame business leaders for any lack of understanding of cyber threats
*51% said their systems are less able to defend against a cyber attack compared to a year ago
*hiring managers rank communication skills (62%) and analytical skills (52%) as their top priority, while IT pros cite cloud computing and security (64%) and risk assessment and management (40%) as the top skills needed
“Our findings suggest that too many organisations are so fixated on their inability to attract top cyber security expertise that they often overlook a tremendous pool of talent already on staff and intimately familiar with their infrastructure and processes,” said (ISC)² CEO David Shearer CISSP. “The quickest way for many organisations to protect themselves against cyber threats is through continuous education and empowerment of their IT team’s constituent members. Security is a shared responsibility across any organisation, but unless IT is adequately trained and enabled to apply best security practices across all systems, even the best security plan is vulnerable to failure.”
Education and certification
To help companies easily train their own IT workers in cyber security, (ISC)2 has also announced an experience waiver for its Systems Security Certified Practitioner (SSCP) certification. IT professionals and others who have earned a cyber security or computer science degree from an accredited college or university can attain full certification without completing one year of paid, full-time work experience as previously required after passing the SSCP exam and completing the (ISC)² endorsement process.
SSCP is an ideal cyber security certification for those IT professionals responsible for the hands-on operations of securing their organisations. Those who earn the SSCP certification demonstrate their technical skill to implement, monitor and administer IT infrastructure using security policies and procedures, as well as an ability to protect the confidentiality, integrity and availability of data.
The SSCP encompasses security operations and administration, risk identification, monitoring and analysis, incident response and recovery, network and communications security, system and application security and cryptography.
Organisations can leverage (ISC)² Enterprise Solutions to educate and prepare their IT teams to pass the SSCP exam and start contributing to stronger cyber defence immediately.
*Learn more about the SSCP certification and (ISC)² cyber security education opportunities at www.isc2.org