According to a new study released by (ISC)2, organizations that have made a strong investment in cybersecurity technology are better able to retain the talent they need to protect against both internal and external threats.
The study, Building a Resilient Cybersecurity Culture, surveyed 250 organizations, representing a range of sizes. The prerequisite was that the companies had demonstrated a solid cybersecurity track record. Rather than focus on the skills gap from the negative, the study sought to identify demonstrable solutions to the workforce gap from companies that report that they have “all the cybersecurity experts that they need to be successful.”
The survey participants were all full-time employees with cybersecurity responsibilities and who affirm that their companies do an adequate job staffing the cybersecurity teams. Of the 250 participants, 84% work at companies with more than 100 employees, while 16% work at companies with fewer than 100 employees.
Only 18% of survey participants said they worry about losing members of their security staff, yet 99% said they have influence or decision-making authority in hiring and evaluating IT professionals.
“Respondents in the survey worry less about losing cybersecurity employees than actual threats, an indication that having competent, experienced people in place allows them to focus on what is important – protecting the organization. Hence, 57% say their biggest concern is the constant evolution of threats they face, and 43% say it’s the determination of threat actors,” the report said.
That top management understands the importance of strong cybersecurity seems to be critical to the successful staffing of the security teams, as the study also found that a strong culture begets professionals who hold certifications. When hiring for their cybersecurity team, 70% of participants said they give priority to hiring certified security professionals. The same number focuses on training and promoting from within. Also key to successful staffing is drafting clear job descriptions, which 52% of participants said they give priority to when hiring.
“One of the challenging things for growing organizations is aligning their job descriptions with both what the market can provide as well as the security org their trying to build is inside,” said Dr. Bret Fund, founder and CEO at SecureSet. “This may sound much simpler than it really is, but it can be a real challenge to the organizations.”
“As organizations look to security educators, standards bodies and certification providers, having a sense of how their organization aligns with some of the best practices of industries is going to be vital.”
Part of strengthening their security teams includes offering training and certification opportunities to employees as well as cross-training on cybersecurity skills and responsibilities. “The (ISC)2 report is a good example of the growing awareness of a strategic gap in cybersecurity training in the US,” said Brajesh Goyal, vice president of engineering at Cavirin.
“If you go back to the end of WW2, there was a call for additional engineering training. [We’re experiencing the] same thing [now], and in fact the just-released ‘National Cyber Strategy’ document called out the need for additional training, both for the US government and for the commercial sector. These actions trickle down to proposed initiatives like a cyber Peace Corps or even the new Girl Scouts cybersecurity badge.”