We’re taking a 30,000-foot view of cyber security to understand the state of the industry from an enterprise perspective and share some common challenges faced by diverse industries. Doing so provides infosec leaders insight into how challenges emerge in their workplace and potentially a sense of relief knowing their industry (and themselves, as professionals) are not alone in this struggle.
Cyber security remains dynamic and turbulent as businesses and technologies grow in complexity and hackers become more sophisticated. There is much discussion regarding the need to increase cyber security spending to expand cyber teams to cover more ground. And, we know that many businesses lack confidence in their current cyber readiness, due in part to many of these common challenges detailed below.
Lack of qualified cyber security experts
Finding cyber security professionals who possess specific technical skill sets is an uphill battle for many infosec leaders who are trying to grow and expand their cyber teams. According to Harvard Business Review, one of the main reasons is that businesses tend to look for people with traditional technology credentials instead of individuals possessing a wide variety of professional and technical skills. As attacks get more sophisticated varied skill sets of both technical (forensics, network analysis, malware detection) and professional (communication, problem-solving, analysis) will be required to combat them effectively, so leaders would be wise to expand their talent searches to include more diverse skill sets moving forward.
Lack of structured upskilling among talent
Senior staff often have a significant advantage over newer hires because they understand the ins and outs of their company. However, simply because they have advanced in their careers, they are not necessarily the most effective when trying to teach junior staff new skills and approaches to cyber security since conducting effective training is often a full-time job itself. Concurrently, it is difficult for IT professionals to consistently remain up-to-date on best practices across all aspects of cyber security. The 2019 IT Security Employment Outlook report and many other resources note a 3 million staffing gap in cyber positions. Skills needed include the ability to identify key cyber terrain and risks, protect organizational assets and data, detect unauthorized access and data breaches, respond to cybersecurity events and attacks, and recover normal operations and services. Investing in consistent, structured, measurable training to upskill existing team members is an effective way to assess and combat these deficiencies.
Staff retention and fatigue
Since many organizations do not have the proper resources to alleviate heavy workloads and to effectively combat cyber threats, information security employees are often fatigued from long hours, immense pressure, and unreasonable workloads. These issues contribute to dissatisfied employees and high attrition rates across the industry. All of these issues taken together pose a serious problem because organizations that are trusting their security to a fatigued and undermanned or under-skilled cyber team is ultimately a threat to us all. CSO magazine recommends that companies assess “the state of mind of key staff members, create work schedules to rotate personnel off the front lines, and provide the right levels of support, stress relief programs, and career counseling.”
Combating common cyber security challenges
These challenges are daunting and exist across many industries, keeping many infosec professionals up at night. Fortunately, by expanding the pool of candidates for positions by looking for more diverse skill sets, investing in immersive cyber security training, and understanding the state of mind of key staff members including monitoring their level of job satisfaction and fatigue, firms can more effectively combat these common challenges.