ISACA are makers of major security courses like the Certified Cybersecurity Practitioner CSX, CISA, CISM and CRISC, and they’ve recently produced an infographic that has revealed some interesting and eye-opening statistics. These statistics have come from surveys conducted by ISACA themselves, as well as IBM’s 2015 Cost of Data Breach Study, UK House of Lords Digital Skills Committee and more. As providers of certifications to cyber security professionals, ISACA are using these statistics to help close the gap where the crucial IT security skills are most needed, as well as increase awareness about the skills shortages. Below, is a breakdown of each stat highlighted by ISACA and their individual and collective implications on the IT industry. Make sure you check out the ISACA infographic at the bottom of the post.
The costs of the cyber security skills gap
In 2014, $1 billion worth of personally identifiable information (PII) was stolen. This means there have been many more stolen since, through 2015 and beyond. As large as this figure is, more unidentifiable records that cannot be traced are highly likely to have been stolen too. This marks a huge amount of money stolen from businesses and economies. On top of this, there are the costs beyond money, like the breach of a customer’s privacy. This type of cost can mean stolen passwords, accounts, addresses, phone numbers or credit card details. These damages can cause loss of personal finance, credit card fraud or even identity fraud. Combined, this shows how cyber security threats are heavily draining businesses and individuals.
Unfortunately, the severity of these financial implications appears to be increasing. It is estimated $150 million will be the average cost of a data breach by 2020. This is roughly £107 million. The 2015 average in the UK was £1.46 million, more than doubling the 2014 figure of £600,000.This staggering figure, as well as the soaring increase, shows the need to increase security in all businesses, now. Technology and hacking techniques are continuing to advance and if your security is not sufficient and updated, you could be left vulnerable. The huge figure, as well as it’s meteoric rise, forces business managers to take company-wide action, rather than dumping the burden entirely onto IT departments.
97% of security professionals surveyed in ISACA’s 2015 APT study believe advanced persistent threats (APTs) represent a credible threat to national security and economic stability. These opinions come from knowledgeable professionals within the security industry, which is reason enough to take notice of this imminent and serious threat to our businesses and economy. Many businesses ignorantly and naively settle for sub-par IT security systems, but every business is a potential target and if you are not prepared, the consequences could be crippling.
The regularity of cyber security breaches
In the same ISACA survey, professionals from 1 in 4 organisations have experienced an APT attack. This shows the regularity of cyber attacks, as well as how widespread they now are. It’s also worth mentioning that 3 in 4 organisations also believe they will be targeted in the near future, again reiterating how every business needs to be aware and prepared for cyber attacks.
1 in 2 believe the IT security department is unaware of all of the organisations Internet of Things (IOT) devices and 74% believe the likelihood of an organisation being hacked through IOT devices is high or medium. In our increasingly connected world, there are connectivity capabilities on a staggering amount of devices, in our business and personal lives. All of these devices have the potential to become avenues that hackers can target to infiltrate a business. It is important for everyone in the company to be aware of the potential security risks, especially the IT department.
|Image courtesy of pat138241 at FreeDigitalPhotos.net|
The need for cyber security professionals
2 million will be the number of cyber security professionals the industry will be short of by 2019. Numbers are often bandied about to estimate the number of cyber security professionals needed in the cyber security sector, and it’s difficult to determine the exact demand in the UK. However, it’s clear that 2 million reflects the trend in the current cyber security jobs market and is a worrying size considering the severity of threats. In the EMEA region, stats from (ISC)² estimate there will be 1.2 million cyber security roles that are constrained by a lack of supply in the industry.
The growth of demand for cyber security professionals is 3x the growth of the overall IT jobs market. On top of this, when compared to the overall jobs market, that stat grows to 12x. Also, a study from US New and World Report states that demand for cyber security professionals is growing at a rate of 36.5% through to 2022.
Looking slightly deeper in the cyber security jobs market, 64% of organisations believe just half or fewer of applicants for open security jobs are qualified. This highlights how the jobs market has become stagnant for employers due to the cyber security skills gap. At the bottom of this scale, many business are having to settle for candidates that aren’t good enough. A potential side effect is that professionals in the industry don’t have the skills to properly protect their business.
How can we develop more cyber security skills?
53% of organisations experience delays as long as 6 months to find qualified security candidates. This means it’s becoming more difficult, costly and time-consuming to find the right cyber security skills for employers to protect their business and assets. One avenue through which the skills gap can be closed is Apprenticeships. The UK government is heavily investing in cyber security, with Chancellor George Osbourne promising an extra £1.9 billion by 2020. Much of this investment will fund two new cyber security focused apprenticeships, the Cyber Security Professional and Cyber Security Analyst. Offered by Firebrand, these trailblazer apprenticeships are an excellent avenue to upskill staff, unrestricted by age limitations.
89% of consumers believe it is important for organisations to have cyber security certified employees. Another side effect of cyber security gaining more attention, is consumers becoming more aware of its importance. Customers are recognising it’s vital for businesses to have certified cyber security professionals. By getting your security employees certified, not only will they learn and demonstrate more advanced skills, customers will recognise, value and appreciate the extra commitment to cyber security. This is another eye-opener to how important cyber security certifications are, and from a source you probably didn’t expect.
77% of women said that no teacher or careers advisor mentioned cyber security as a career – for men it’s 67%. The lack of women in IT has been a trend for much longer than the cyber security skills gap. It’s clear that the cause of this goes far deeper into society and change starts with giving children the opportunity and encouragement to get valuable IT skills at an early age. The 67% figure for men, shows the problem is not unique to women. The root of the issue is that IT security is not taught in the school curriculum. This causes children, and their teachers too, to be unaware that cyber security is a career choice – one with excellent prospects.
What’s the solution?
The first step to help close the cyber security skills gap, is for government and business leaders to realise the dangers that the skills gap presents. Thankfully, this is starting to happen. Back in November 2015 Chancellor George Osbourne announced that the UK government was planning to invest £1.9 billion into cyber security. This type of commitment needs to continue, with business leaders and managers investing in cyber security training. This is important to give cyber security professionals the skills they need to properly protect businesses from cyber attacks. If these skills are in place throughout the UK, attacks will be prevented and the numbers reduced.
Also, the structure of education around cyber security needs to change. If the government were to introduce cyber security as part of the curriculum, it would encourage more children to choose cyber security careers. The government must continue to increase their investment into cyber security apprenticeships. This would encourage more young people and businesses to undertake apprenticeships, developing skills and successful cyber security careers. Finally, general awareness needs to increase around cyber security. This would help people take more steps to help prevent cyber attacks. These actions would change the culture of dusting cyber security under the carpet, and getting more skilled cyber security professionals into the industry to protect our businesses and economy.