Dwindling resources, experience and skills are the biggest challenges facing the cybersecurity profession today, according to new research from the Chartered Institute of Information Security.
Nearly half (45%) of those polled for the institute’s annual survey, The Security Profession in 2018/19, pointed to lack of resources as the biggest issue they face, followed by lack of experience (37%) and skills shortages (31%).
The latter have been an issue for years, with global shortages estimated at nearly three million, including 142,000 in EMEA.
What industry professionals there are threaten to be swamped by the black hats: just 11% of respondents said security budgets were rising in line with, or ahead of, threat levels, while the majority (52%) said budgets were rising, but not quickly enough.
When asked to choose between people, process and technology, the vast majority of professionals polled for this report claimed that people (75%) were the biggest challenge to cybersecurity, rather than process (12%) and technology (13%).
“Clearly, this could be a shortage of skilled security architects, the fact that developers seldom create secure code, the user awareness problem where passwords and phishing emails are concerned; probably it is a combination of people related issues,” the report explained.
On the plus side, the dearth of qualified professionals led a majority of respondents to claim this is a good time to join the industry: 86% said the industry will grow over the next three years and 13% said it will “boom.”
In addition, over 60% claimed the profession is getting better – or much better – at dealing with security incidents when they occur, while less than half (48%) said the same about defending systems from attack and protecting data. In fact, 14% said the profession is getting worse at this.
This highlights a general trend of organizations being forced to broaden their approach from prevention alone to include incident response.
“IT security is a constant war of attrition between security teams and attackers, and attackers have more luxury to innovate and try new approaches,” said Amanda Finch, CEO of the Chartered Institute of Information Security.
“As a result, the industry’s focus on dealing with breaches after they occur, rather than active prevention, isn’t a great surprise – the former is where IT teams have much more control. Yet in order to deal with breaches effectively, security teams still need the right resources and to increase those in line with the threat. Otherwise they will inevitably have to make compromises.”