Though businesses recognise the increased threat, less than one in ten (8%) of the organisations who complete cyber risk assessments do these monthly while two in five (40%) conduct them annually. The failure to regularly assess cyber risk leaves organisations vulnerable to attacks and increases the risk of breaches going undetected for prolonged periods.
A lack of human resource is contributing to businesses not measuring and testing their cyber defences regularly enough. Almost two thirds (62%) of respondents report that their cybersecurity team is understaffed. Of those organisations with unfilled roles in cybersecurity, 39% are looking to fill entry level positions that do not require experience, university degree, or credentials. Typically, 44% of organisations state that they require a university degree to fill entry level cybersecurity positions when they have them.
Chris Dimitriadis, Global Chief Strategy Officer at ISACA, said: “Our findings show that businesses are still struggling to find the right people with the right skills to manage cybersecurity. With cyberattacks on the rise, if we do not solve these challenges and address the gaps, businesses, ecosystems of supply chains and public sector bodies could be at threat from a lack of vital protection, detection, response and recovery. Businesses do not exist in isolation from their customers or the other organisations within their network, and a cyberattack on one part of the ecosystem can have consequences for everyone else. This is why holistic training is needed towards creating a safer world.”
There are some simple steps businesses can take to tackle the cyber skills gap and improve their cyber resilience. Of those who are already making headway, half (50%) of the organisations surveyed are upskilling non-security staff, 46% are increasing the use of contractors or external consultants, and a quarter (27%) are adopting reskilling programmes.
Cybersecurity professionals believe that hands-on experience in a cybersecurity role (97%), credentials held (88%), and completion of hands-on cybersecurity training courses (83%) are very or somewhat important when determining if a cybersecurity candidate is qualified.
Chris Cooper, member of ISACA’s Emerging Trends Working Group, said: “If businesses are to maintain their cyber resilience in an ever-evolving threat climate, we must encourage and nurture talent in the cybersecurity industry. Employers are looking for people who already have hands-on experience, but we will only enable people to build that experience by creating more entry-level roles and investing in the right training and development for everyone in the industry, from the ground up.”