Professionals were also clear about where threats originate. Overwhelmingly, 75 percent perceived people are the biggest challenge they face in cyber security – with processes and technology near-equal on 12 and 13 percent respectively. This may explain the need for more resources even as budgets increase: people are a far more complex issue to deal with. Yet at the same time, there are signs of improvement. More than 60 percent of IT professionals say that the profession is getting better – or much better – at dealing with security incidents when they occur, with only 7 percent saying the profession is getting worse. Conversely, less than half (48 percent) of respondents felt the industry is getting better at defending systems from attack and protecting data, with 14 percent saying the profession is getting worse. This suggests an ongoing move in the industry – from focusing on prevention, to an all-encompassing approach to security.
“IT security is a constant war of attrition between security teams and attackers, and attackers have more luxury to innovate and try new approaches,” said Amanda Finch, CEO, Chartered Institute of Information Security. “As a result, the industry’s focus on dealing with breaches after they occur, rather than active prevention, isn’t a great surprise – the former is where IT teams have much more control. Yet in order to deal with breaches effectively, security teams still need the right resources and to increase those in line with the threat. Otherwise they will inevitably have to make compromises.”
Other relevant statistics from the research included:
The focus on a lack of resources, experience and skills suggests that IT security teams are feeling the effect of the IT skills shortage. Yet this is also an opportunity for individuals. The majority of IT security professionals surveyed believe this is a good time to join the profession – 86 percent say the industry will grow over the next three years and 13 percent say it will “boom”. There is also an opportunity, and need, for women in the industry – 89 percent of respondents identified as male, and 9 percent as female. More than 37 percent say they have better prospects than a year ago, and the factors attracting people to take security jobs are the same as then – remuneration, followed by scope for progression and variety of work. Insufficient money, or a lack of opportunity, also cause people to leave security positions – yet the top factor causing people to leave their jobs is bad or ineffectual management.
“In the middle of a skills shortage, organisations need to treat their workers carefully. Losing them through a lack of investment, through failing to help develop skills, or simple poor management, cannot be allowed,” continued Amanda Finch. “At the same time, they cannot simply hire anyone to fill the skills gap – bringing the wrong person into a role can be a greater risk than an empty seat. Instead, organisations must understand what roles they need to fill; what skills those roles demand; and what skills applicants have. Armed with this, businesses can fill roles and support workers throughout their careers with the development, opportunities and training they need. This doesn’t only mean developing technical skills, but the social, organisational and strategic skills that are essential to put security at the heart of the business.”