Under the Microscope: ISACA Survey on Cybersecurity Workforce, Resources and Budgets
A major survey that like all surveys needs to be examined carefully rather than accepted blindly.
ISACA’s 2021 report on the cybersecurity workforce sees little adverse effect from the pandemic on cybersecurity during 2020, but notes a continued downward pressure on budgets and a correlation between the number of unfilled positions and staff retention, and the number of cyberattacks experienced.
There is no differentiation between an attack (which may be unsuccessful) and a breach or compromise (which is a successful attack).
The problem with all surveys is that they deliver a subjective interpretation of subjective replies to frequently ambiguous questions that may not even be the right questions. This is not a criticism of anybody involved, but merely an observation that surveys raise at least as many questions as they answer.
The ISACA State of Cybersecurity 2021, Part 1 is a report on the survey of 3,659 cybersecurity professionals (93% being ISACA members) to evaluate workforce efforts, resources and budgets. It uses a multi-choice and Likert-scale format for responses from the participants. This type of survey is probably the only way in which such a volume of responses can be analyzed, but it provides no scope for subtleties in replies. This heightens any ambiguity inherent in the survey and its analysis.
One area where there is little ambiguity is the conclusion that the COVID-19 pandemic has had little overall effect on cybersecurity staffing and budgets – although, says the report, “survey data indicate it mitigated retention woes during 2020.” Respondents indicating difficulty retaining talent dropped to ‘just’ 53% – a reduction of 4% over the previous year’s figure – and likely a recognition that an economic recession and period of great uncertainty is perhaps not the best time to move on and seek alternative employment.
Heather Paunet, senior VP at Untangle, highlighted a recruitment gain from the pandemic. “We hired a few positions remotely that we wouldn’t have considered doing before, allowing us to find and retain the right talent for our teams,” she told SecurityWeek. The pandemic work-from-home paradigm allows companies to fish in the global talent pool rather than being limited to just those people within easy commute range.
However, one example of potential ambiguity within this survey relates to the demand for cybersecurity candidates to have a university degree. It isn’t specified in the report whether this is always any degree or always a cyber-related degree. If it was similarly unspecified in the questions, it is possible that some respondents took it to always mean cyber-related, while others took it to always mean any university degree. The report doesn’t tell us.
Being more specific, one question asks if “graduates in cybersecurity are well prepared for the cybersecurity challenges.” Only 4% of replies strongly agreed with this. But at the same time, 58% of respondents say their organization typically requires a university degree (type of degree unspecified).
Elsewhere, responding to the question on what is important in determining if a candidate is qualified, 68% say a university degree is somewhat or very important; 79% want prior hands-on training; 89% want credentials; and a colossal 95% want prior hands-on cybersecurity experience.
There is an inbuilt bias towards the need for certification because 93% of the respondents have paid to join ISACA. Many will have gone on to study for, pay for, and qualify for one or more of the many certifications offered by ISACA. Anecdotally, CISOs have often told SecurityWeek that certifications may be nice, but are hardly ever critical to employment.
The last in the list of determinations for suitability for employment (the need for prior experience) is the crux of the whole problem: if you cannot get a job without experience, how do you get a job to get the experience to get the job? If the skills gap is a measure of employment vacancies, it brings into question the whole concept of the skills gap. The more difficult it is to get a job in cybersecurity, the bigger the skills gap. But if the industry lowered its demands, then that skills gap would start to fill and decrease. The skills gap itself becomes something not measured by skills, but by industry demands.
Turning to what is lacking rather than what is required in new candidates, the biggest problem by far is seen to be a lack of soft skills, at 56%. Second, at 36%, is a lack of expertise in “Security controls (e.g., endpoint, network, application, implementation)”. Interestingly, all gaps other than soft skills could be filled by on-the-job training. Soft skills are probably better taught and learned at school or college.
It is tempting to suggest that this is an argument for eliminating the requirement for previous experience and to concentrate recruitment on aptitude, with an Arts degree supplemented by in-house training. Arts graduates are inclined to be better at soft skills (because of their constant use of communication skills in presenting arguments) than science students who can largely get away with just presenting facts. This is not exclusive, but opening to non-cybersecurity degrees might improve the level of soft skills in cybersecurity while simultaneously reducing the skills gap.
Another area where business shirks responsibility is by blaming inadequate education for not preparing youngsters for cybersecurity. “Despite years of effort by government, industry and academia,” says the report, “and despite the expenditure of large swaths of taxpayer dollars, little has changed.” That may be because industry is demanding an impossible solution from education ‒ nothing changes faster than technology and cybersecurity, and yet we expect education to get ahead and prepare kids for the yet unknown.
Dirk Schrader, global VP of security research at New Net Technologies, calls this cybersecurity’s race of fear and urgency – fear of being compromised and urgency to prevent it as far as possible – which creates the notion that only ready-for-use cybersecurity personnel will save the day.
“Two findings mentioned in the report are telling in this regard,” he told SecurityWeek, “the soft skills gap and the notion that university programs are missing out on topics like networking and hardening. Soft skills aren’t trained in universities and networking can be learned and trained outside of them – as most of us in senior cyber security positions are likely to remember. Organizations,” he continued, “should look for talent from a different perspective, with a focus on the willingness to learn, to advance while on the job.”
It may be that business has to accept some responsibility for the so-called skills gap, and find its own solution rather than expecting third parties to solve it. It may be that the skills gap is partly created by business demanding the impossible.
Entirely missing from this year’s survey report is any discussion on the diversity issue. This is a shame. While diversity in cybersecurity goes way beyond the male-to-female issue, it has a major impact on staff recruitment and team efficiency. ISACA has relegated (it would say ‘promoted’) diversity-related data collection to the One In Tech foundation it launched in 2020,
Readers are warned that this article is a subjective review (mine) of the subjective interpretation (ISACA’s) of the subjective responses (the participants) of the subjective, limited and possibly ambiguous questions (of the survey designers). This is why all surveys should be taken with a pinch of salt, and not blindly accepted as gospel.