Cybersecurity teams have historically been hampered by lax IT budgets, a shortage of skills and alert fatigue, which leaves security analysts overwhelmed by the sheer amount of alerts to parse. However, retention issues also plague the industry. And according to a recent study, the increasing volume of cyber-attacks in recent years is directly responsible for this syndrome.
Released this week at the inaugural ISACA Conference, the State of Cybersecurity 2021 Part 1 survey shows that 53% of information security teams had difficulty retaining talent last year during the pandemic. Respondents cited “limited remote work possibilities” as a reason for leaving their cybersecurity role.
61% of respondents indicated that their cybersecurity teams are understaffed, and 55% say they have unfilled cybersecurity positions. Half say their cybersecurity applicants are not well qualified and only 31% say HR regularly understands their cybersecurity hiring needs, exacerbating the problem.
Interestingly, and somewhat ironically, staff gaps and cyber-attacks seem to be linked. 68% of respondents who experienced more cyberattacks in the past report being somewhat or significantly understaffed, and 63% who suffered more cyberattacks in the past reported difficulties retaining qualified cybersecurity professionals.
“It has become even more evident in the past year just how vital cybersecurity is to ensuring business continuity, yet the years-long struggle to staff these teams continues,” said Jonathan Brandt, ISACA information security professional practices lead. “As a global cybersecurity community, it is imperative that we all come together to recalibrate how we hire, train and retain our future cyber leaders to ensure we have a solid workforce to meet these evolving cybersecurity needs.”
Roughly a quarter of survey respondents said that recent graduates in cybersecurity are well-prepared, though 58% indicate that they require a degree for entry-level cybersecurity positions. Respondents note that they also seek prior cybersecurity experience, credentials, and hands-on training when determining whether a candidate is qualified.
The top three skills gaps are soft skills (56%), security controls (36%), and software development (33%). Organizations are addressing these shortcomings by training non-security staff interested in moving to security roles; increasing use of reskilling programs and outsourcing; promoting more performance-based training to build hands-on skill; and relying more on AI/automation.