Cyber security has quickly grown to be a major issue for businesses of all sizes, with ransomware now the number one threat and the number of attacks rise daily. However, 46 per cent of organisations have a problematic lack of security skills, according to a new study by ESG and ISSA.
With such a large shortage of cyber security professionals, demand is unreasonably high, and is estimated to grow 53 per cent by 2018. This creates less-than-ideal working conditions for the professionals in this field.
Overall, the study reports that only 41 per cent of cyber security professionals are satisfied with their jobs. Looking at the current conditions of the average cyber security job, you can understand why. Cyber security professionals are in shortage, therefore, those who are in the field are often overworked. Many organisations do not budget for new or upgraded IT or security technology, so professionals in this field are left performing monumental jobs on sub-par technology. Lastly, too many organisations allow their security to be run reactively, so they are always on defense. This leaves cyber security professionals solving security alerts and performing emergency responses, high intensity tasks that do little to prevent the next attack.
The study also goes into detail stating that 20 per cent have poor relations with the rest of the IT department and about a fourth of the professionals have poor relations with the business team of the company. To make matters worse, over half reported that their companies do not provide ongoing training to help them better protect their organisations. These factors combined with the fact that almost half of these professionals are contacted at least once a week by recruiters looking to fill vacant positions, result in high attrition rates for these professionals.
With cyber security breaches forecast to get worse, we, as an industry, need to tackle these concerns head on and improve the satisfaction rate of cyber security professionals to better help organisations stay safe and secure.
Step 1: Raise the profile of cyber security internally
To begin addressing the issues at hand, businesses of all sizes need to start taking cyber security seriously. Cyber security can no longer be departmentalised to the IT department. Every aspect of a business must be aware of the cyber threats they’re facing and the broader risk they pose to the organisation.
Additionally, being able to improve the relationships between cyber security professionals and other departments within the company should directly address the low satisfaction levels most cyber security professionals report. This can also directly strengthen the organisation’s security levels because each department will work together to make the organisation safer.
Step 2: Encourage ongoing cyber security education – for professionals and the rest of the company
Basic cyber security education for non-cyber security employees can reduce the number of careless mistakes made by employees as they are likely unable to distinguish obviously fake phishing emails. When employees are aware of the basic fundamentals of proper security practices, they can reduce the friction between them and the cyber security professionals as well as reduce the amount of time spent correcting a basic security mistake.
For cyber security professionals, organisations should provide access to extracurricular courses to allow cyber security professionals the opportunity to keep up to date on the latest security practices. The security industry constantly evolves and an organisation can easily become breached if they are not using the most up-to-date security practices.
Training for both non-security and security-focused employees should be implemented through an on-going, measurable system to ensure progress on behalf of the employees as well as increase readiness to prevent and adequately deal with cyber security incidents.
Step 3: Build a strong corporate policy around cyber security
None of these practices will help organisations if they are not properly implementing security protocols to ensure that each and every individual is actively participating in keeping the organisation safe. Setting firm rules surrounding security will better ensure better employee security habits, can regulate the interactions that cyber security professionals and non-cyber security profession partake in, and reduce the number of security incidents that the organisation faces.
This should also include mandating organisations to keep their security and IT technology up to date. Updated technology allows for smoother implementation of various security defenses, including automated defenses, reducing the amount time a cyber security professional needs to spend maintaining the technology and dealing with menial security issues.
Organisations can follow these practices to help improve the current conditions for cyber security professionals, but there needs to be a fundamental industry shift if organisations and the cyber security industry itself wants to address the deficit of cyber security professionals compared to the rising rate of cyber criminals. Awareness must begin well before individuals enter the workforce, starting even as early as primary school. As they say, it’s hard to teach an old dog new tricks. If we introduce the concept of smart and safe work habits to schools, new employees will enter the workforce equipped with proper security knowledge to help keep organisations safe. Intensive higher education programs should also be introduced and promoted to help prepare and cultivate the next wave of cyber security professionals. Creating a higher awareness of the programs and opportunities individuals will have in this field will attract more workers to the industry as well as alleviate the tension current professionals currently feel.
Plenty can be done to improve the current satisfaction level of cyber security professionals, but we need to make a stronger effort in taking the first step to enact this change. It’s unacceptable that only 41 per cent of these professionals are satisfied in their careers when security is such an integral department of every organisation in this day and age.
It’s time that we start taking responsibility into our own hands to bring about this change and work toward a future that is respectful of cyber security professionals and has a collaborative effort to protecting enterprises.
Dotan Bar Noy, CEO and Co-Founder of ReSec Technologies
Image source: Shutterstock/Sergey Nivens