The report is revealing. Majority of respondents think their company will be hit by a cyberattack soon. More than half of respondents believe they will experience at least one attack in the next 12 months. The survey gives a comprehensive snapshot of what cybersecurity professionals are facing—including the types of cyberattacks, solutions, and reporting challenges—and just how much of an impact cyber teams make on the security of their organisations.
The survey got responses from over 2,000 respondents from over 17 industries and 102 countries.
- 32% respondents reporting an increase in the number of attacks relative to a year ago. However, there is a glimmer of hope—the rate at which the attacks increase is continuing to decline over time; last year, just over 39 percent of respondents answered in the same way.
- Though while attacks are going up—with the top attack types reported as social engineering (15%), advanced persistent threat (10%) and ransomware and unpatched systems (9% each), the respondents believe that cybercrime remains underreported.
- 62% of professionals believe that enterprises are failing to report cybercrime, even in situations where they have a legal or contractual obligation to do so.
The survey also establishes a logical correlation between a fully-staffed cybersecurity team, confidence in abilities to respond to threats, and the number of attacks that an enterprise experiences. While the number of respondents indicating they are significantly understaffed fell by seven percentage points from last year, a majority of organizations (62%) remain understaffed. Understaffed security teams and those struggling to bring on new staff are less confident in their ability to respond to threats. Only 21% of “significantly understaffed” respondents report that they are completely or very confident in their organisation’s ability to respond to threats, whereas those who indicated their enterprise was “appropriately staffed” have a 50% confidence level.
- 35% of respondents in enterprises taking three months to hire reported an increase in attacks and 38 percent from those taking six months or more.
- 42% of organisations that are unable to fill open security positions are experiencing more attacks this year
A similar research done by Stott and May Cyber Security in Focus reveals that leaders are still struggling with the skills gap and access to talent. Nearly 76% survey respondents think there is a shortage of cybersecurity skills in their company. This problem still seems truer for the mid-market and large enterprise segments. Corporations are struggling to source cybersecurity talent (72 %) with no material improvement around time-to-hire from 2019.
In early 2019, Gartner TalentNeuron data predicted that there would be a global shortage of nearly 2 Million cybersecurity professionals by the end 2019. This global pandemic has further escalated the situation. In spite of a decline in new job postings between February 1 and April 10, both U.S. and U.K. saw a surge in demand for infosecurity roles. There was a 65% upswing in demand in the U.S. and an increase of more than 5% in the U.K., driven by big banks, technology giants and niche infosecurity companies.
“Unfortunately, the prospects for filling cybersecurity vacancies are slim for many organisations. The cybersecurity profession is in the midst of an acute shortage of qualified workers,” says a BLOG by ISC2 . (ISC)²’s 2019 Cybersecurity Workforce Study put the estimate of a global shortage at 4.07 million.
The (ISC)2 Cybersecurity Workforce Study 2019 lays out four strategies organizations should consider:
- Address cybersecurity team members’ needs with training and career development opportunities.
- Properly set internal expectations about applicant qualifications to widen the search for candidates as much as possible.
- Target recent college graduates and workers with degrees relevant to cybersecurity.
- Grow your cybersecurity team from within with further development and cross-training opportunities.
Understaffed CISOs and their security organisations are in a tight spot. They are literally doing overtime almost every day to ensure that all the remote workers – outside of the regular, secured perimeter – pose minimum threats to the organisational data and its crown jewels. However, the growing sophistication and intensity of attacks strong suggest this gap needs to be filled and the shortage shall be addressed sooner than later.