Skills shortage a major cyber security risk

The proportion of information security professionals who feel organisations are getting worse at defending against major cyber security breaches has leapt from 9% to 18% in the past three years, a survey has revealed.

However, in contrast, the number of businesses that feel better prepared to respond to and deal with incidents rose from 47% to 66% over the same period, according to the latest industry survey by not-for-profit industry body, the Institute of Information Security Professionals (IISP).

Security industry leaders are increasingly putting emphasis on cyber resilience based on good detection and response capabilities, rather than relying mainly on defence technologies and controls.

“These results reflect the difficulty in defending against increasingly sophisticated attacks and the realisation breaches are inevitable – it’s just a case of when and not if,” said Piers Wilson, director at the IISP.

“Security teams are now putting increasing focus on systems and processes to respond to problems when they arise, as well as learning from the experiences of others.”

When it comes to investment, the survey suggests that for many organisations, the threats are outstripping budgets in terms of growth. The number of businesses reporting increased budgets dropped from 70% to 64% and businesses with falling budgets increased from 7% up to 12%.

According to the IISP, economic pressures and uncertainty in the UK market are likely to be restraining factors on security budgets, while the demands of the General Data Protection Regulation (GDPR) and other regulations such as Payment Services Directive (PSD2) and Networks and Information Systems Directive (NISD) are undoubtedly putting more pressure on limited resources.

The survey report highlights the problem of skills shortages with the proportion of respondents reporting a dearth of skills as a challenge growing to 18%, up from just 8% in 2015.

While acting as a potential brake on capability, the skills shortage is also driving job prospects year-on-year, reflected in a growth of respondents in all the higher salary bands and in those reporting good job and career prospects.

“This year’s survey further highlights the continued need for industry, government, academia and professional bodies like the IISP to continue to work to resolve these shortages in skills across all levels and disciplines,” said Amanda Finch, general manager at the IISP.

The rate of advancement in technology, the report said, will also put more pressure on skills and resources. When asked about the impact and disruption caused by emerging technologies, respondents put the internet of things (IoT) and artificial intelligence (AI) at the top of the list, followed by new computing models such as software as a service (SaaS).

“We have seen AI and machine learning used in defensive security systems for some time and this is now starting to become part of a wider automation approach,” said Wilson. “But like the IoT, AI can also be exploited by cyber criminals, so we need to have the people and technologies to respond and mitigate these emerging risks.” 

The IISP represents more than 8,000 individuals across private and government sectors, 41 corporate member organisations and 22 academic partners.

As well as surveying its members, the IISP opened the survey up to non-member security professionals, representing a wide range of ages, experience and industry sectors.