With high profile security breaches like Equifax, the publicity over data security, as well as the cost, has only continued to grow. According to The 2017 Cost of Data Breach Study from the Ponemon Institute, the global average cost of a data breach is $3.6 million, or $141 per data record.
Businesses large and small have faced financial ruin and severe reputation damage in the wake of breaches, putting a harsh light on the growing need for greater data security that evolves as the techniques of adversaries do. Many organizations have turned their sights on emerging technology to solve this problem, but unfortunately, this is not a silver bullet solution.
At the same time, cyber security publications proclaim the growing crisis of the cyber security skills shortage, a deficit that is expected to reach over 285 thousand unfilled positions in the United States alone. While the industry recognizes the problem, little has been done to identify why this problem exists and what can be done to combat it. Until now.
Cybrary conducted a survey of more than 3,100 IT, security, and other professionals. Our goal: to better understand their cybersecurity preparedness, learning habits, and factors that improve defensive capabilities. Survey respondents reported various levels experience: those with five or more years of experience shared an equal proportion with those who have one to three years in their field.
Our survey showed:
- 1/3rd of their organizations have experienced a security breach.
- 68% doubt their organization’s readiness to thwart advanced threats.
- 80% of respondents do not feel adequately prepared to defend their organization.
What are they doing about this?
- 35% of respondents spend at least $1,000 annually on training-related expenses.
- Only 15% say employers cover all training expenses.
If organizations are not prepared for a breach, why aren’t they investing in training?
This is an especially valid question when you consider the survey found “Respondents whose employers paid for their training (and spent higher amounts on that training) felt their organizations were significantly more capable of meeting the security challenges facing them.”
Invest in your Team, Invest in Security
A team’s cybersecurity preparedness can be determined by two factors: experience and training. From that perspective, given the choice of hiring expensive veterans or investing those extra dollars in training entry-level or intermediate staff, which will best prepare an organization to defend itself?
Our data shows that company support for training displays a much stronger effect than experience. As seen in Figure 12, respondents whose employers paid for their training (and spent higher amounts on that training) felt their organizations were significantly more capable of meeting the security challenges facing them.
Remember the consternation expressed by some after Equifax’s fall 2017 mega-breach after finding their Chief Security Officer (CSO) had a music composition degree? The assumption was that music has nothing to do with security, so anyone with that degree is unfit for such a role. Many in the industry objected because many security professionals have an educational background that doesn’t match their current role.
Preparedness and aptitude stem from a willingness to learn. This is a process that must be completed continuously throughout a professional’s career. This is especially true in a field where tools and techniques change rapidly.
“It is clear that the likelihood of employer-paid training increases with the respondent’s level of experience. Whether that’s a good thing or not is another question. Logic suggests that the learning needs of junior employees were at least equal to that of those with more experience — and quite possibly more. This in itself might be a contributor to the overall talent gap in IT or cybersecurity, regardless of gender or ethnicity,” writes Wade Baker of Cyentia Institute.
How to Combat the Skills Gap
If you’re interested in integrating an organizational training approach, here are a few points to keep in
- Get employee feedback on the types of training they’re interested in pursuing.
- Use annual performance reviews as a means of implementing structured, consistent training.
- Align training material to both company objectives and individual employee objectives.
Employees who understand the value of continuous learning will regularly invest in their career development.
Best said by Cybrary COO, Kathie Miley, “Leaders must prioritize creating a dynamic learning environment where experience is not only rewarded, but less-experienced employees receive the support they need to improve their skills. The future of modern business is dependent on people.”