The state of cybersecurity

The Information Systems Audit and Control Association, known as ISACA, recently released its eighth annual global State of Cybersecurity Survey. Many takeaways from it should raise some alarm bells and red flashing lights for all of us.

The survey aims at looking into trends within cybersecurity as well as the challenges the industry faces.

It is widely known that there are significant gaps in the number of jobs to fill and the perceived qualified candidates to fill these jobs within the cybersecurity landscape. This report focuses on staffing, skills, resources, cyber threats and maturity of cybersecurity as part of its insights.

These questions and the responses may lead to businesses shifting their approach as they seek to fill important roles in the near future.

A total of 2,031 respondents completed an online survey in the fourth quarter of 2021. The perspective comes from those that hold the Certified Information Security Manager, or CISM, certification through ISACA.

The CISM certification is aimed for those advanced I.T. professionals that demonstrate they can develop and manage a cybersecurity program at an enterprise level. The CISM is focused not only on the technical aspects of cybersecurity but requires an understanding from the business point of view as well.

The problem of a lack of candidates in cybersecurity is not a problem that only sits with technology leaders. The problem filling positions is systemic and will continue to cause significant issues for all businesses looking to attract and keep talent over the years to come.

More than 63 percent of the respondents indicated they were less than appropriately staffed in the cybersecurity team and 60 percent have experienced difficulties retaining qualified cybersecurity professionals.

This percentage of staffing shortages is a small uptick from the previous year and is in line with the results going back to 2018.

In short, any inroads made to add more professionals to the pipeline in recent years have not been keeping up with the demands for the positions.

Another concerning piece of information that is often lamented within technology circles and reflected in the survey is the disconnect between the hiring departments and the hiring managers.

The survey indicated 70 percent of the respondents believe their human resources department occasionally, rarely or never understands the cybersecurity hiring needs to properly screen candidates.

With the lack of candidates in the cybersecurity space there is increased competition for talent that has previous experience. The survey points out 73 percent believe prior hands-on cybersecurity experience is very important to determining if a candidate is qualified.

A whopping 59 percent of the respondents indicated the recruitment by other companies as the No. 1 cause for those leaving their current roles.

As internships, apprenticeships and job shadows garner more attention in getting younger candidates in the pipeline, there will need to be a continued effort to reevaluate the requirements for entry-level positions.

More companies are needing to put increased focus on finding the candidates with strong communication and soft skills and invest in training for the deep technical knowledge to combat the gap.

The 2022 report included a new section that may provide some insights to what employers are doing to keep employees beyond increased salaries and wages.

The survey indicated that 66 percent of companies offer to pay certification fees for industry certifications as part of their benefit package.

Cybersecurity professionals are seeking to increase their knowledge and tool kits to help advance their careers and provide value back to the business.

Leaders should take note of this and other tools, including flexible work arrangements, to retain their cybersecurity talent.

Paul Nus is the director of technology at Folience, The Gazette’s parent company, and a board member of SecMidwest, a Cedar Rapids-based not-for-profit focused on cybersecurity education; SecMidwest.org.