A lack of business investment means cybersecurity teams are struggling to keep enterprise networks secure at a time when the rise in remote working is providing additional security challenges -- and it's having an impact on their well-being.
A global study of cybersecurity professionals by Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) warns that this lack of investment, combined with the challenge of additional workloads, is resulting in a skills shortage that's leading to unfilled jobs and high burnout among information security staff.
According to the study, which surveyed over 500 cybersecurity professionals, 57% say a shortage of cybersecurity skills has impacted the organisation they work for, while just over 10% report a significant impact.
MUST READ: Need developers, project managers or CIOs? Watch out, because the rules of tech hiring are changing
The effect is an increased workload for information security staff, according to 62% of respondents. That's had a knock-on effect on the mental health of information security staff, 38% of whom say they've experienced burnout as a result of extra work pressures during what was already a difficult year.
"The impact, especially this past year of the pandemic, has been significant. Teams are expected to do even more as a result of businesses moving to the remote operating model," says Candy Alexander, board president of ISSA International.
"The risk landscape has shifted dramatically to a more exposed environment and a cyber-war is in full swing with ransomware attacks becoming devastating to many businesses. Cybersecurity professionals are now challenged with keeping up with the latest and greatest threats," Alexander adds.
One of the reasons many cybersecurity staff have struggled is because of the sudden rise of remote working as a result of the global pandemic: 50% of respondents say this has led to an increase in stress.
Greater prevalence of remote working has made some aspects of enterprise network security more difficult, as cybersecurity staff have needed to help employees -- many of whom may not have worked from home before -- stay safe.
More remote working means greater usage of cloud applications, which has led to increased demand for cybersecurity professionals with skills in cloud computing security . A significant number of organisations are struggling to find the people to fill these gaps.
Almost four in ten (39%) of cybersecurity professionals say their organisation is struggling to fill cloud computing security roles. Meanwhile, 30% are finding it difficult to fill vacancies in application security, and there's a similar story when it comes to security analysis and investigation.
The ISSA/ESG report found that many organisations are making basic mistakes in hiring and recruiting cybersecurity professionals. More than three-quarters said it was extremely or somewhat difficult to recruit and hire security professionals, but 38% said their organisation doesn't offer competitive compensation, while 29% said their HR department doesn't understand the skills needed for cybersecurity and 25% said that job postings at their organisation tended to be unrealistic. Three-quarters of security professionals said that they were approached by recruiters every month.
Part of the issue, the report suggests, is many boardrooms view cybersecurity as a cost -- something that needs money spent on it but doesn't help the bottom line of the business -- especially when organisations think about finances in the short-term.
It's likely these boardrooms still see cybersecurity as a technology issue rather than a business issue, which is naïve when high-profile data breaches and ransomware attacks have demonstrated that if cybersecurity isn't managed correctly, it can have huge consequences for the whole business, not just the IT and cybersecurity teams.
"Cybersecurity is seen as a cost centre to the business -- something you have to do, but only to a minimal degree, like paying the light bill. We need to shift the conversation to aligning our security programs with the business," says Alexander.
"Businesses have a tendency to invest in things they see value in. We need to ensure they see the value in our cybersecurity programs -- including people, training and technology," she added.
People and training are a key issue here: technology changes fast and the methods cyber criminals use to break into networks are constantly evolving, so it's important for organisations not only to hire the right people, but also to invest in training them so they can continue in their jobs by reacting to the latest threats and dealing with new forms of technology.
But that doesn't start with employers: in order to ensure there are enough people to fill cybesecurity jobs going forward, education and training pathways are needed.
"At a societal level, we have to do more to educate school age children about cybersecurity and career opportunities," says Jon Oltsik, Senior Principal Analyst and ESG Fellow.
"We need more funding for cybersecurity scholarships. We need more internship and mentoring programs. All of these things are works in progress and there are some worthwhile efforts, but supply is not keeping up with demand and it won't anytime soon".
In the meantime, it's recommended that CISOs are in communication with the board in order to ensure that they're aware of the needs of cybersecurity and that they are getting appropriate amount of attention and investment.
And while issues around the available cybersecurity workforce might continue to be a problem for CISOs for now, there are tools and technologies that can help ease the staff workloads, helping to improve both their wellbeing and the organisation's cyber defences.
"CISOs must make all decisions assuming the impact of the cybersecurity skills shortage. This requires a greater commitment to working with service providers, process automation, and advanced analytics technologies," says Oltsik.