While the shortage of skilled cybersecurity practitioners has been well-documented for several years, it is important to understand the contours of the skills gap for a more constructive view of how enterprises can best move forward.
ISACA’s recently published State of Cybersecurity 2018 research has pinpointed specific themes that are impacting enterprises’ cybersecurity capabilities, both globally and throughout the Asia Pacific Region.
The urgent need for more practitioners in technical roles stands out as a central concern. Among respondents from the Asia Pacific and Oceania regions, 72% indicate the need for increased staff among individual contributors in technical security roles, compared to 45% who indicate more staff are needed in non-technical security roles.
I am a big believer in the need for real-world skill development that builds the technical skills needed to contend with the complex and expanding threat landscape. Enterprises need to invest more in providing this caliber of skill development to their security teams, whenever possible tapping into live and dynamic network environments.
Skill development is among the most important pieces of an enterprise’s security budget. There is some encouraging data on the investment front, as 69% of respondents in the Asia Pacific and Oceania regions indicate their enterprises are planning to increase their security budgets this year, slightly higher than the 64% rate among respondents globally. This might be why nearly 4 in 5 respondents in Asia Pacific and Oceania believe that their boards of directors are adequately prioritizing enterprise security – a critical ingredient in the ultimate success of enterprises’ security programs.
While increased attention from boards and the C-suite is welcome, it is important to bear in mind that even as investment increases, the threat landscape does not stand still. Ransomware, the proliferation of connected devices and more sophisticated forms of malware are just some of the challenges that reinforce that just because spending is increasing, there is no guarantee that enterprises’ digital assets will be better protected.
While people, processes and technology all are important ingredients in an enterprise’s security program, that first element – people – must lead the way to improved security posture. Less than half of respondents in Asia Pacific and Oceania report their enterprises are able to fill open security positions in three months or less. Given the escalating number of threats in today’s security landscape, this is an untenable situation that can create devastating consequences for enterprises that are inadequately staffed to contend with cyberattacks.
Part of this skills shortage is reflective of the underrepresentation of women in the global technology workforce. I am proud that my ISACA board colleague Jo Stewart-Rattray is at the forefront of this critically important issue, championing ISACA’s SheLeadsTech program and having recently represented Australia at the United Nations’ Commission on the Status of Women, with an emphasis on empowering girls and women through technology.
None of these challenges have easy solutions, but the need for robust security teams will only intensify in the coming years as digital transformation becomes increasingly widespread in Asia Pacific and around the globe. Enterprises will need to deploy new technologies such as Internet of Things devices, artificial intelligence, blockchain and more if they are to remain competitive in the marketplace. These technologies introduce new risks that will further test enterprises’ capacity to effectively and securely leverage technology.
Enterprises must rise to the occasion of meeting these challenges. Taking a closer look at the skills gap – the areas where progress is evident, and others where there is still much work to be done – provides helpful context for enterprises to calculate their next move.