A Spiceworks survey shows that the cybersecurity skills gap is unlikely to improve in the near future, especially considering a majority of organizations do not employ cybersecurity specialists, have no plans to hire the expertise, and aren’t willing to investment in the security training their IT pros need.
The survey revealed that only 29% of organizations have one working in their IT department, and the numbers weren't any better elsewhere. A mere 7% of organizations have a security expert in another department and only 7% have one on the executive team. The silver lining may be that 23% of organizations contract outside security experts to help protect their environments and to help fill this knowledge gap.
However, 55% of organizations said they don't have regular access to any IT security experts at all, internal or third-party. And the situation is not improving much in the near term—a majority of companies have no plans to hire or contract one within the next 12 months.
Also, levels of security certification within IT departments is not very high, as the survey showed that 67% of IT pros do not have any security certifications.
The most common certification held by IT pros is the basic CompTIA Security+, which 17% of respondents had earned, many saying that the designation is beneficial for getting a foot in the door for job interviews. At a distant 2nd and 3rd place are the CISSP at 2% and CEH at 1%.
When asked IT pros if executives are making IT security a priority, 73% said it is for the CIO and senior IT leaders, followed by 56% and 54% saying that the CTO and CEO prioritize security, respectively. However, less than 50% said cybersecurity is a priority for their CFO, COO, or CMO.
Regarding IT training, 18% of employers are very open to spending and encourage employees to pursuing training, with an additional 6% of employers being extremely open and having already made investments.
However, most organizations may not pay for IT training. At 57%, the majority of employers are somewhat open to spending on training, but it takes some convincing to get them to do so. At the same time, nearly 20% of organizations are not open to paying for an employee's IT training at all.
And when asked how confident IT pros are in their ability to respond to cyberattacks targeted at various devices/services in the workplace given their current security skills and the resources available to them, more than 80% of IT pros are confident in their ability to respond to cyberattacks on endpoints such as laptops, desktops, and servers.
IT pros are also relatively certain that they are able to secure and protect storage devices (72%) and networking hardware (72%). However, IT pros are much less confident in their ability to respond to cyberattacks on less traditional IT devices, including tablets (58%) smartphones (52%), cloud services (44%), and IoT devices (36%).