A lack of resources is the single biggest challenge for the IT security market, followed by a lack of experience and skills, according to “The Security Profession in 2018/19” report from the Chartered Institute of Information Security (previously known as the IISP) – the independent not-for-profit organisation responsible for promoting professionalism and skills in the IT profession. At least 45 percent of respondents chose a lack of resources as the biggest challenge: compared to 37 percent for a lack of experience, and 31 percent for a lack of skills. Ultimately, security professionals feel their budgets are not giving them what they need – only 11 percent said security budgets were rising in line with, or ahead of, the cyber security threat level, while the majority (52 percent) said budgets were rising, but not fast enough.
Professionals were also clear about where threats originate. Overwhelmingly, 75 percent perceived people are the biggest challenge they face in cyber security – with processes and technology near-equal on 12 and 13 percent respectively. This may explain the need for more resources even as budgets increase: people are a far more complex issue to deal with. Yet at the same time, there are signs of improvement. More than 60 percent of IT professionals say that the profession is getting better – or much better – at dealing with security incidents when they occur, with only 7 percent saying the profession is getting worse. Conversely, less than half (48 percent) of respondents felt the industry is getting better at defending systems from attack and protecting data, with 14 percent saying the profession is getting worse. This suggests an ongoing move in the industry – from focusing on prevention, to an all-encompassing approach to security.
“IT security is a constant war of attrition between security teams and attackers, and attackers have more luxury to innovate and try new approaches,” said Amanda Finch, CEO, Chartered Institute of Information Security. “As a result, the industry’s focus on dealing with breaches after they occur, rather than active prevention, isn’t a great surprise – the former is where IT teams have much more control. Yet in order to deal with breaches effectively, security teams still need the right resources and to increase those in line with the threat. Otherwise they will inevitably have to make compromises.”
Other relevant statistics from the research included:
- Asked to identify the worst or most notable security events or breaches of the last year, more than one third of respondents pointed to Facebook, both for its own breaches and for its relationship with Cambridge Analytica.
- British Airways was second, with almost a quarter of responses. All the incidents highlighted by the most respondents were as notable for the aftermath of the breach as for the breach itself.
- The innovation predicted to have the greatest effect on security in general was AI and machine learning technology – suggesting this is an area for organisations and individuals to target their skills development.
The focus on a lack of resources, experience and skills suggests that IT security teams are feeling the effect of the IT skills shortage. Yet this is also an opportunity for individuals. The majority of IT security professionals surveyed believe this is a good time to join the profession – 86 percent say the industry will grow over the next three years and 13 percent say it will “boom”. There is also an opportunity, and need, for women in the industry – 89 percent of respondents identified as male, and 9 percent as female. More than 37 percent say they have better prospects than a year ago, and the factors attracting people to take security jobs are the same as then – remuneration, followed by scope for progression and variety of work. Insufficient money, or a lack of opportunity, also cause people to leave security positions – yet the top factor causing people to leave their jobs is bad or ineffectual management.
“In the middle of a skills shortage, organisations need to treat their workers carefully. Losing them through a lack of investment, through failing to help develop skills, or simple poor management, cannot be allowed,” continued Amanda Finch. “At the same time, they cannot simply hire anyone to fill the skills gap – bringing the wrong person into a role can be a greater risk than an empty seat. Instead, organisations must understand what roles they need to fill; what skills those roles demand; and what skills applicants have. Armed with this, businesses can fill roles and support workers throughout their careers with the development, opportunities and training they need. This doesn’t only mean developing technical skills, but the social, organisational and strategic skills that are essential to put security at the heart of the business.”
The survey covered a range of IT security professionals from a variety of backgrounds, both members and non-members. The full 24-page report can be read on the Institute’s website.