Key Points
- Cybersecurity Skills Gap Challenge
- Increased Entry-Level Professionals
- Lack of Practical Experience
- Negative Impact on Career Prospects
A recent report from ISACA, the Information Systems Audit and Control Association, indicates that despite substantial global investments in cybersecurity training, the cybersecurity skills gap may prove to be more challenging to tackle than initially thought. While there has been an increase in the number of entry-level cybersecurity professionals as a result of expanded training initiatives, organizations continue to grapple with a shortage of experienced cybersecurity experts, as noted by the International IT Governance Professional Association.
You can also read: Cybersecurity under scrutiny: How vulnerable are we?
In their “State of Cybersecurity 2023, Global Update on Workforce Efforts, Resources, and Cyberoperations” report, ISACA underscores the importance of moving beyond a narrow focus. The report also raises concerns about redundant job postings and the difficulties faced by aspiring cybersecurity professionals. They have invested significant time and resources in pathway programs but struggle to secure employment in the field.
A critical concern highlighted in the report is that if this issue remains unresolved, it will exacerbate the ongoing challenges faced by students and career changers. Despite possessing knowledge, skills, and credentials, these individuals currently find it difficult to secure employment due to their lack of practical experience. This worsening situation could have a significant negative impact on their career prospects.
The annual ISACA report, conducted in the second quarter of 2023, gathered insights from over 2,100 professionals worldwide, including those with ISACA Certified Information Security Manager (CISM) certification.
What is ISACA?
ISACA is a global, nonprofit organization dedicated to advancing and promoting universally recognized knowledge and practices in the field of information systems (IS). Formerly named the Information Systems Audit and Control Association, it now operates under its acronym alone.
ISACA offers valuable resources such as guidance, benchmarks, and governance tools to enterprises that rely on information systems.
Additionally, the organization hosts a range of international conferences centered around both technical and managerial subjects related to IS assurance, control, security, and IT governance.
Cybersecurity 2023 report
Entering its ninth year, ISACA’s annual global State of Cybersecurity Report compiles insights from over 2,000 information security professionals. The summary of the report:
As per the Security Report, several noteworthy trends were observed by cybersecurity experts throughout the year. The Russia-Ukraine conflict served as a stark example of how traditional kinetic warfare can be complemented by cybernetic warfare. This dynamic has also influenced the broader threat landscape by reshaping the nature of hacktivism and the involvement of independent threat actors in state-affiliated missions.
The ongoing war has witnessed a surge in the use of wiper malware, a trend that has been adopted by various actors. In fact, 2022 marked a significant increase in global wiper attacks, surpassing the cumulative figures of the previous decade.
Traditional cybercrime tactics have evolved. In 2022, threat actors began employing more legitimate tools in their operations, including native operating system files, IT software, and penetration testing tools. These tools aid them in staying discreet and evading detection.
Ransomware attacks have taken on a new dimension, with threat actors increasingly bypassing the encryption process. They have realized that the main financial gains often come from data breaches and the subsequent threat of publishing victim data.
Mobile device attacks have become more sophisticated, with attackers frequently mimicking legitimate applications to deceive users.
In the cloud threat landscape, data hosted by third-party providers is particularly vulnerable. Misconfigurations, overly permissive roles and permissions, and publicly stored access keys can all expose companies’ data to potential breaches and attacks.
These trends underscore the evolving nature of cyber threats in 2022 and the need for robust cybersecurity measures to address these emerging challenges.
Cybersecurity professional retention increasing
Retention rates have improved, with a 6% decrease in respondents reporting retention challenges compared to the previous year. However, this improvement is likely due to economic uncertainty rather than better working conditions. The top reasons for employees leaving include being recruited by other companies (58%) and dissatisfaction with financial incentives (54%). Work-related stress remains a significant factor (43%), followed by limited remote work options and poor work culture. The report suggests that uncertainty is reducing job changes, and organizations are tightening budgets and compensation due to the possibility of an upcoming recession.
State of cybersecurity varies across regions
In Europe, 52% of organizations reported experiencing more cyberattacks than the previous year, while in Oceania, this number was even higher at 56%, surpassing the global average of 48%. However, the report revealed that companies in both European and Oceania regions were underreporting cyberattacks, with 78% failing to accurately report them.
In terms of confidence in cybersecurity teams’ ability to detect and respond to threats, Oceania lagged behind with only 36% expressing confidence, compared to the global average of 42%.
Regarding educational requirements for entry-level cybersecurity positions, 52% of employers globally still require a university degree. Notably, Europe and Africa saw decreases in this requirement, while Asia and North America remained unchanged. Latin America and Oceania, on the other hand, reported increases of 9% and 10%, respectively, in the demand for a university degree.
COVID-19 Impact on Global Cybersecurity
During the pandemic, numerous organizations transitioned from office-based work to remote work in accordance with government social distancing regulations. This shift in work environment created opportunities for cyberattacks targeting company databases, information, and systems, particularly with the persistent occurrence of COVID-19-themed web and email attacks, as well as targeted Remote Desktop Protocol (RDP) attacks. Consequently, the awareness training market experienced significant growth due to the escalating cybercrimes, cyber threats, and security concerns associated with the COVID-19 pandemic.
The remote work model, which became prevalent during this period, became a breeding ground for a variety of cyberattacks, including Man-in-the-Middle (MITM) attacks, intrusions, and spear phishing attempts. Furthermore, the market’s expansion was driven by several factors, such as the increasing internet penetration in developing and underdeveloped countries, the rising adoption of wearable devices, smartphones, and removable devices, the surge in COVID-19-related scams, counterfeit emails, and marketing proposals, as well as malicious attacks targeting small and medium-sized enterprises (SMEs) and startup companies.
