Challenges faced by CyberSecurity Professionals in 2020.

We speak to a number of CyberSecurity professionals on a daily basis and the topic of conversation always leans towards the challenges they deal with.

A recent report from the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) (link here) exploring the ‘Life and Times of Cybersecurity Professionals 2020’ highlighted and supported what we know about the significant challenges which Cybersecurity professionals are facing today.

The report concluded that:

  1. The cybersecurity skills shortage is getting worse. 70% of ISSA members believed their organization had been impacted by the global cybersecurity skills shortage. 45% believed the cybersecurity skills shortage (and its impact) have worsened over the past few years -only 7% believe things have got better. The top ramifications of the skills shortage include an increasing workload, unfilled open job requisitions and an inability to learn or use cybersecurity technologies to their full potential. No single action (funding, college programs, retraining, etc.) is working to bridge the cybersecurity skills gap. What’s needed is a holistic approach of continuous cybersecurity education (starting with public education), comprehensive career development, and career mapping/planning—all with support from and integration with the business.
  2. Cybersecurity professionals continue to need some career guidance. In the survey, 63% of respondents had worked in cybersecurity for less than 3 years, with 76% starting as IT professionals before switching their career to cybersecurity. As in past surveys, 68% of  cybersecurity professionals surveyed don’t have a well-defined career path and historical solutions are only compounding problems, confusing security professionals while lacking any real guidance. For those interested in a cybersecurity career, ISSA members recommend they find a mentor, get basic cybersecurity certifications, find cybersecurity internships and join a professional organization.
  3. Almost half of cybersecurity professionals want to become CISOs. 16% of respondents were CSOs, CISOs or in a similar cybersecurity position. Of the remaining participants, 47% admitted that they’d like to become a CISO in the future. To achieve this position, ISSA members said they need to develop their leadership, business and communications skills. This points to the fact that, while career options remain murky, business education should be part of all cybersecurity career development plans.
  4.  Cybersecurity careers depend on hands-on experience. ESG/ISSA asked  participants to choose which was most important for their career development: hands-on experience or security certifications. 52% chose hands-on experience and 44% claimed that hands-on experience and certifications are of equal importance. Clearly, hands-on experience is critical but it should be supplemented with the right certifications at the right times. The point here is that certifications MUST be supplemented with practical knowledge about how to derive, implement and operate technical requirements for policy enforcement.
  5. Cybersecurity job satisfaction goes beyond compensation. An important one here and one which we hear everyday. Aside from compensation, cybersecurity job satisfaction is a function of many factors such as support and encouragement for continuing cybersecurity education, business management’s commitment to strong cybersecurity and the ability to work with a highly skilled and talented cybersecurity staff. Organizations with all these qualities will have a distinct advantage in recruiting and hiring as they add to their cybersecurity staff.
  6. Cybersecurity careers can lead to personal mental and physical stress. The pace and stress of a cybersecurity job can have personal consequences—29% of respondents say that they’d either experienced significant personal issues as a result of cybersecurity job stress or they knew someone else who had.
  7. Cybersecurity training remains inadequate. Most survey respondents didn’t believe their organization provided the right level of cybersecurity training. 36% of respondents reported that they thought that their organizations should provide a bit more cybersecurity training, while 29% believed their organizations should provide significantly more training. Cybersecurity professionals should make business managers aware of this problem and understand the ramifications. This is likely the first step toward a cooperative solution.
  8. It takes years to become a proficient cybersecurity professional. Respondents were asked to speculate on how long it takes a cybersecurity professional to become proficient at their job. The highest percentage of respondents (39%) believed it took anywhere from 3 to 5 years to develop real cybersecurity proficiency, while 22% said 2 to 3 years, and 18% claimed it takes more than 5 years. This speaks to the time necessary to understand the use of technology, factor in security models and principles and then apply this knowledge toward supporting business goals.
  9. CISOs are business, not technical, leaders. When asked to identify the most important qualities of a successful CISO, two characteristics stood out above all else: communication skills and leadership skills. Lagging these “must have” skills, 38% of respondents chose management skills, while 36% said business skills. Technical skills were last on the list. The complexity of knowledge necessary for success is a perfect blend of technical knowledge, business acumen, security strategy and educational ability.
  10. CISO effectiveness is a mixed bag. The respondents provided feedback on their
    CISO’s effectiveness. While 42% rated the CISO as very effective, a concerning 47% responded somewhat effective, while 12% said not very effective at all. Overall, there is room for improvement. This may reveal that few CISOs have the blend of business, leadership, communications and technical skills necessary for success.
  11. Governments and schools are not keeping up with cybersecurity challenges. Respondents rated several constituencies in terms of their ability to keep up with cybersecurity challenges. The results were not encouraging, especially regarding government agencies and public schools. Most respondents believed that government agencies should be doing a lot more to address cybersecurity challenges, while 84% of respondents believed that public schools/institutions should be doing a lot more to address cybersecurity challenges. This data reflects an age-old cybersecurity belief—cybersecurity is most effective when it is baked in, rather than bolted on, to any discipline or culture.
  12. Cyber-adversaries maintain an advantage over defenders. ISSA members were asked to compare the status of cyber-adversaries with that of cyber-defenders. The results were even more alarming than previous years’ surveys as 67% of respondents believed that cyber-adversaries had a big advantage over cyber-defenders as compared to 59% in the 2018-2019 project.

While some progress is being made, the same issues present themselves year after year – a shortage of skills, under-trained employees and the stress and strain caused by a career in the cybersecurity field.

These disturbing trends should be of concern to corporate directors and business executives, not just CISOs.