Skills shortages still pose major risk to long term information security capability
23 May 2018: The latest survey from the not-for-profit industry body, the Institute of Information Security Professionals (IISP), shows that over the last three years, those feeling that organizations are getting worse at defending against major cyber security breaches has leapt from 9% to 18%. In contrast, the number of businesses that feel better prepared to respond to and deal with incidents rose from 47% to 66% over the same period.
“These results reflect the difficulty in defending against increasingly sophisticated attacks and the realization that breaches are inevitable – it’s just a case of when and not if,” says Piers Wilson, Director at the IISP. “Security teams are now putting increasing focus on systems and processes to respond to problems when they arise as well as learning from the experiences of others.”
When it comes to investment, the survey suggests that for many organizations, the threats are outstripping budgets in terms of growth. The number of businesses reporting increased budgets dropped from 70% to 64% and businesses with falling budgets increased from 7% up to 12%. Economic pressures and uncertainty in the UK market are likely to be restraining factors, while the demands of the GDPR (General Data Protection Regulation) and other regulations such as PSD2 (Payment Services Directive) and NISD (Networks and Information Systems Directive) are undoubtedly putting more pressure on limited resources.
The IISP Survey report also once again reinforces the problems of skills shortages with the number of respondents reporting a dearth of skills growing to 18% of respondents citing it as a challenge in this year’s results. While acting as a potential brake on capability, the skills shortage is also driving job prospects year-on-year, reflected in a growth of respondents in all the higher salary bands and in those reporting good job and career prospects.
“This year’s survey further highlights the continued need for industry, government, academia and professional bodies like the IISP to continue to work to resolve these shortages in skills across all levels and disciplines,” says Amanda Finch, General Manger at the IISP.
The rate of advancement in technology in the wider IT, systems and threat environment will also put more pressure on skills and resources. When asked about the impact and disruption caused by emerging technologies, respondents put the Internet of Things (IoT) and the rise of Artificial Intelligence (AI) at the top of the list.
“We have seen AI and machine learning used in defensive security systems for some time and this is now starting to become part of a wider automation approach,” says Wilson. “But like the IoT, AI can also be exploited by cyber criminals, so we need to have the people and technologies to respond and mitigate these emerging risks.”
The IISP has a growing and diverse membership representing over 8,000 individuals across private and government sectors, 41 Corporate Member organizations and 22 Academic Partners. As well as surveying its members, the IISP opened the survey up to non-member security professionals, representing a wide range of ages, experience and industry sectors. The survey was conducted in the second half of 2017/early 2018.
A copy of the IISP white paper on the results of the survey is available here.