Breaking Compliance News Blog

Understaffing increases cybersecurity risk

Posted by Scott Gima on 12/6/22 10:21 AM


Workforce statistics: An (ISC)2 workforce survey of 11,779 cybersecurity practitioners and decision makers reported strong increases in cybersecurity workers:

  • The US cybersecurity workforce increased by 5.5% between 2021 and 2022.
  • Globally, the increase was 11.1%, or 464,000 new workers.

But demand for cybersecurity workers increased almost twice as fast resulting in an increase in need. In the US, the workforce gap increased by 9.0%. The global gap has climbed by 26.2% since 2021.

Why it matters: For organizations, unfilled cybersecurity jobs increase the risk of a successful cyber event. The (ISC)2 survey identified multiple staffing related problems:

  • 70% of organizations don’t have enough cybersecurity staff to be effective.
  • More than half believe their organization is at a “moderate” or “extreme” risk of cyberattack.
  • Oversights in certain procedures have been made.

These vulnerabilities worsened in 2022:

  • Not enough time for proper risk assessment and management
  • Oversights in process and procedure
  • Slow to patch critical systems
  • Not enough time to adequately train each cybersecurity team member and not enough training resources
  • Misconfigure systems

The top four reported reasons for the shortage:

  • 43% - my organization can’t find enough qualified talent.
  • 33% - My organization is struggling to keep up with turnover and attrition.
  • 31% - My organization doesn’t pay a competitive wage.
  • 28% - My organization doesn’t have the budget.

Tackling the problem: Multiple strategies were identified by the (ISC)2 survey. While all had a positive impact, some were more effective. Organizations that focused on training were least likely to have staffing shortages. These organizations focus on rotating job assignments, mentorship programs and encouraging employees outside of cybersecurity to join the field. Organizations that outsourced cybersecurity showed a higher percentage of staffing shortages. Effective strategies include the following:

  • Provide more flexible working conditions (e.g., Work From Home / Work From Anywhere).
  • Recruit, hire, and onboard new staff.
  • Invest in certifications.
  • Invest in diversity, equity, and inclusion initiatives (e.g., attract more women and minorities to enter the cybersecurity profession).
  • Use technology to automate aspects of the security job.
  • Hire for attitude and aptitude, and train for technical skills.

Don’t overlook organizational culture. Dissatisfaction was found to be caused by organizational issues, not the job itself. Reasons for high levels of work dissatisfaction include:

  • My employer does not value or listen to my input.
  • Poor relationship with team members or managers.
  • I feel like my job exists only to prevent breaches and I will be blamed if one occurs.
  • Lack of support from executives/managers.

The strategies that were most effective in creating a positive culture include:

  • The organization values and listens to the input of all staff.
  • Proactively soliciting feedback on employees’ needs.
  • Implementing technology to make security professionals’ jobs easier.
  • Promoting cybersecurity awareness to the whole organization.
  • Team building/bonding exercises/activities (e.g., office happy hour, company outings/trips).

One more tip: If you are understaffed in the cybersecurity department, use your HIPAA Security Risk Analysis to triage needs and put your limited resources where they are needed the most.

Read more at the Wall Street Journal.


STG Signature 2021





Topics: HIPAA, security, compliance

    Privacy Policy           Terms of Use