show image

European CISOs feel the heat as skills shortage intensifies

Nearly two in three senior European security pros have considered leaving the industry as the skills shortage intensifies amid a wave of attacks, new research has revealed.

According to a survey of more than 3,000 security “decision-makers” in the UK, France and Germany, 63 per cent have thought about leaving the sector, while nearly half (44 per cent) feel their team lacks the skills required to stem the tide of incidents.

Some 48 per cent said attackers have “unprecedented resources and support from ‘bad actors'” including cyber crime gangs and state-sponsored actors, and 46 per cent said their teams were “too busy to keep up with the necessary skills development”.

The research, which was conducted by Goldsmiths University on behalf of the security giant Symantec, also revealed that the vast majority of professionals (78 per cent) have underestimated the level of resource required to deal with threats and the same number again have been forced to rush threat assessments.

“We’re not going to be able to recruit our way out of the talent gap. A more systemic change has to take place,” said Darren Thomson, a Symantec executive. “The cyber security landscape has changed dramatically since today’s CISOs [chief information security officers] entered the industry. With thousands of threat events happening every second and the complexity of the IT estate growing exponentially, simply keeping pace is a challenge.”

“Machine augmentation is mission critical, but security leaders must ensure that these tools don’t become part of the problem. Taking steps to reduce the complexity of cyber security, use of cloud-delivered security, increased automation and smart use of managed services can all help to reduce overload and improve retention.”

Richard Brinson, who has served as interim chief information security officer (CISO) at Unilever and Sainsbury’s, said he knew of a number of CISOs who had stepped down from their roles due to stress and moved into non-operational positions, such as research and consulting.

Given the shortage of CISOs, it’s not uncommon for positions to remain vacant for several months at a time. “Without a CISO in place, it’s difficult to move the security agenda forward, deliver against the strategy that’s been agreed and maintain the pace the board wants,” Brinson told NS Tech. “There’s a risk of stagnation and losing focus and momentum.”

In order to make the job more manageable, boards need to “provide clarity on what’s important to the business”, Brinson added. “For a lot of organisations stopping shipping goods is worse than a data breach. If the CEO and the board aren’t telling you that, you might be prioritising the wrong thing or nothing at all.”