SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Work in cybersecurity? 59% of organisations have unfilled security positions
Wed, 18th Apr 2018
FYI, this story is more than a year old

If you're not qualified in cybersecurity then research suggests that you should be as it's certainly a ‘buyers' market'.

ISACA has released part one of its annual ‘State of Cybersecurity' report for 2018, detailing workforce development, staffing, budget, and organisation of security teams around the world.

According to the report, enterprises continue to struggle with funding, staffing and retaining an adequate security workforce. In fact, 59 percent reported that they had unfilled (open) cybersecurity/information security positions within their organisation, while the majority (26 percent) stated it takes on average six months or more to fill a cybersecurity/information security position.

Of course this is nothing new as previous years' results of the survey (and various others) have highlighted the issue but ISACA says this year's findings uncover additional characteristics of the skills gap with several contributing or potentially exacerbating factors that impact security staffing, skill building and talent retention.

The key findings included both positive and negative points as while the skills challenges remain, they are better understood.

This means while the skills gap continues unabated and enterprises still have open security positions, the time to fill them appears to have decreased slightly.

Demand is greatest for skilled technical resources at the individual-contributor level, rather than the management or executive level. For job seekers, technical skills are a strong differentiator—especially those that can be objectively demonstrated.

Gender disparity is present but ISACA affirms it can be mitigated. Men perceive similar opportunities in security careers, regardless of gender; however, their perceptions are not shared by women colleagues. Active enterprise diversity efforts help to equalise (but do not fully mitigate) this disparity.

In a positive trend, budgets are on the rise. Last year's survey results showed that budgets were expanding but at a slower rate compared to previous years (50 percent predicted that budgets would grow. This year budget expansion will increase at a higher rate than last year and the year before that with 64 percent of respondents indicating that their security budgets will expand.

Respondents are also slightly more confident than last year in terms of security preparedness as they are encouraged by how it is being prioritised within their enterprises.

Despite this, ISACA asserts the results suggest a lack of consensus about organisational placement (i.e. reporting structure) for security teams, and a wide array of approaches are in active use.

Reporting on the findings, Skillsoft digital skills VP Emily Wiese says digitalisation is commonplace in today's business world - and so is the resulting skills gap.

“Many organisations are struggling with effective and efficient digital adoption because they expect employees to adapt to these technical changes on their own. It is the employer's responsibility to provide adequate training and resources for tools they expect their employees to use,” says Wiese.

“Furthermore, assessment and accountability should be built into this training so that employers can quantify results and identify areas for improvement. It's not as simple as offering one-off digital skills training courses or developing an open-ended mandate that all employees must understand and use the tools available to them. Instead, organisations must implement holistic, strategic training processes and they must track the success of these programmes.”

ISACA sent the survey to a global population of cybersecurity professionals who hold ISACA's Certified Information Security Manager and/or Cybersecurity Nexus Practitioner (CSX Practitioner) designations and individuals in information security positions. A total of 2,366 individuals participated in the survey and their responses are included in the results.