Neglecting to prioritize cybersecurity and sufficiently train staff likely behind cybersecurity workforce crisis
by Pushpendra Mehta, Executive Writer, CTMfile
Treasury, thought of as the superintendent of payment security, has to stay focused on security and fraud prevention given the alarming rise in cyber attacks and the increasingly sophisticated techniques being adopted by cyber criminals.
Treasurers are also confronting another existential threat – the failure of organizations to prioritize security and invest enough in training their staff.
Shortage of cybersecurity professionals ‘not’ the most impactful challenge
The fifth annual (ISC)² Cybersecurity Workforce Study done in collaboration with Forrester Research, Inc. drew on responses from 11,779 international practitioners and decision-makers to gain their perspectives and experiences about working in the cybersecurity profession. It offers a decisive answer to the root cause of a global workforce crisis in cybersecurity: the problem lies mostly in “Not prioritizing cybersecurity, not sufficiently training staff, and not offering opportunities for growth or promotion”, not cybersecurity talent shortages, which may be the most common challenge, but not necessarily the most impactful.
According to the non-profit (ISC)², which is focused on inspiring a safe and secure cyber world, the size of the global cybersecurity workforce in 2022 is 4.7 million (Cybersecurity Ventures expects the total damage caused by cybercriminals to reach $6 trillion in 2022), which is an 11.1% increase over last year and the highest ever recorded. However, “The cybersecurity field is still critically in need of more professionals. To adequately protect cross-industrial enterprises from increasingly complex modern threats, organizations are trying to fill the worldwide gap of 3.4 million cybersecurity workers”, as per (ISC)². This shortage is particularly severe in government, insurance, aerospace, education and transportation sectors.
The (ISC)² study shows that nearly half (45%) of employees at organizations with slight workforce shortages feel that staff deficit put their organization at a “moderate” or “extreme” risk of cyberattack. This risk increases substantially (74%) when organizations have a significant staffing shortage. This shortage has stretched security teams thin and resulted in organizations experiencing issues like lack of proper time for risk assessment and oversight of processes, slower patching of critical systems, and less time and resources for staff training.
Despite the cyber talent pool shortage, “Being unable to find qualified talent was actually the least impactful problem”, the (ISC)² report stated.
Organizations that train employees least likely to have cybersecurity workforce shortages
(ISC)² survey found that “Organizations with initiatives to train internal talent – rotating job assignments, mentorship programs and encouraging employees outside of cybersecurity to join the field – were least likely to have shortages (see figure below).”
Source: (ISC)² Cybersecurity Workforce Study, 2022
These initiatives are particularly impactful for larger corporations, as was demonstrated in the study, where only 49% of companies with 1,000 or more employees who had implemented all three of these internal training initiatives had staffing shortages compared with 77% of those who had implemented none. “These were not, however, the most commonly adopted initiatives. In fact, many of the most effective initiatives had the lowest implementation levels”, the study explains.
Furthermore, the survey report states that companies without adequate cybersecurity talent were more likely to lean on automation. Fifty-seven percent have adopted it for aspects of security that are consistent and repeatable, with an additional 26% planning to adopt it in the future. This may reduce staffing shortage issues without adding additional employees.
Passion for cybersecurity work, not the job.
“Roughly 75% of those surveyed report being ‘somewhat satisfied’ or ‘very satisfied’ with their job and passionate about their work”, observes the (ISC)² study. Respondent satisfaction was lower, however, with their specific teams (68%), departments (62%) and overall organization (60%), with unhappiness coming from workplace culture and issues rather than from cybersecurity work itself.
Many who left their jobs over the past two years cited higher paying position, promotion and more growth opportunities. But, concerningly, the next three reasons for leaving a job are all related to cultural landscape and workplace employee experience: negative/unhealthy culture, burnout and poor work/life balance (see figure below).
Source: (ISC)² Cybersecurity Workforce Study, 2022
“Overall, only 50% of those polled saw a high likelihood they would remain at their current organization for the next five years”, the report further added, with results strongly suggesting that unhappiness with organizations fuels cybersecurity staffing shortages. The most significant factor of poor employee experience was the failure of companies to listen to or value employee input.
In essence, “Cybersecurity professionals are passionate about their work, so while overwork is not a positive thing, it is not as negative as feeling like their expertise and knowledge are not being valued or asked for”, says the report.
As relentless and powerful cyber attacks on organizations are on the rise, cybersecurity professionals burdened with protecting businesses are "reaching their breaking point" because the nature and frequency of cybersecurity incidents means dealing with constant crises and strain.
A global study of 1,100 cybersecurity professionals by Mimecast found that one-third of respondents are considering leaving their role in the next two years due to stress. “With the profession facing a pressure cooker of ongoing attacks, disruption, and burnout, it’s critical that organizations support security teams by giving cyberattacks the focus and resources needed — or face losing critical employees", according to Mimecast's survey.
To conclude, the challenges associated with the increase in cybercrime and cybersecurity staffing shortages have a common connection – your employees, who are your best defence against cyber attacks.
Prioritizing cybersecurity enterprise-wide, emphasising adequate and regular security training (securetreasury.com), creating pathways for talent pool growth, valuing employees’ voices, listening to staff’s concerns, and caring about personnel wellbeing will ensure that they stay passionate about cybersecurity, as well as helping take the pressure off your hard-pressed cyber employees.
Like this item? Get our Weekly Update newsletter. Subscribe today