A cybersecurity skills gap is leaving businesses vulnerable to attacks, a new study from ISACA warns.
Businesses are experiencing more cyberattacks and recognize an increased threat to their defenses, but lack human resources to properly tackle them, according to the State of Cybersecurity Survey from ISACA, an international association of IT professionals.
More than half of the surveyed cybersecurity professionals said that their organizations were experiencing more cyberattacks than a year before, but only one in ten of the organizations that complete cyber risk assessments do so monthly, and two in five conduct them annually.
Failure to assess cyber risks leaves businesses vulnerable to attacks and increases the risk of breaches going undetected for prolonged periods, ISACA warned. Understaffed cybersecurity teams contributed to this, it said, with almost two-thirds of respondents saying it was a problem.
“Our findings show that businesses are still struggling to find the right people with the right skills to manage cybersecurity,” Chris Dimitriadis, global chief strategy officer at ISACA, said.
“Businesses do not exist in isolation from their customers or the other organizations within their network, and a cyberattack on one part of the ecosystem can have consequences for everyone else. This is why holistic training is needed towards creating a safer world,” Dimitriadis added.
The vast majority of surveyed professionals said that hands-on experience, credentials, and cybersecurity training were very or somewhat important when determining if a cybersecurity candidate is qualified.
However, a change in that perspective could be in order if organizations are to properly staff their cybersecurity teams, with upskilling non-security employees or training on the job emerging as two possible solutions to the problem, according to Chris Cooper, member of ISACA’s Emerging Trends Working Group.
“Employers are looking for people who already have hands-on experience, but we will only enable people to build that experience by creating more entry-level roles and investing in the right training and development for everyone in the industry, from the ground up,” Cooper said.
Of the organizations with unfilled roles in cybersecurity, 39% offer entry-level jobs to candidates with no experience, university degree, or credential, with 44% requiring a university degree.
Half of organizations said that they were upskilling non-security staff, a similar proportion is relying on contractors or external contractors, and a quarter are adopting reskilling programs.