Online attacks are now regularly making the front page across the world’s media. Equifax is the latest high-profile organisation to make the news, but for the wrong reasons. It was just a simple oversight, failing to install a software patch, but hackers duly exploited the careless error. Finding the highly skilled cybersecurity staff required to manage online threats is a growing problem among businesses.

Recent research from ESG concludes that 45% of organisations are reporting a lack of cybersecurity skills in 2017. Whilst the problem spans all of cybersecurity, the research showed that the skills shortage has had a big impact on the analytics and operations side of things.

  • 54% of businesses don’t have the appropriate security operations skills for businesses of their size.
  • 57% of businesses say they don’t have enough security operations staff for a business of their size.


Finding the specialist expertise required to effectively and thoroughly gather all of the information to perform the role can be difficult. ISC Squared predicts that the world will need an extra 1.8m cyber security professionals by 2022.

Taken from ESG, the top weaknesses cited by businesses as a result of these lacking skills were as follows:

Proactive threat hunting. This isn’t surprising as threat hunting is an advanced skill set. That said however, it is also a best practice within organizations that have established a cybersecurity center of excellence. Effective threat hunting helps organizations stay ahead of threats with the right security controls, and establishes the right knowledge for continuous security monitoring. Those organizations lacking the right skills for threat hunting can only hope to spot suspicious activities after a system has already been compromised.

Assessing and prioritizing security alerts. ESG research indicates that many firms are buried by the volume of security alerts, so identifying and prioritizing alerts is a mission-critical process. If your organization struggles here, you will likely miss something (or many things) and suffer the consequences.

Computer forensics. This too is an advanced skill set. Computer forensic weaknesses will make it difficult to discover the nuances of network penetration or system compromises. If you are unaware of these specific details, there’s no way you can protect your organization against similar attacks.

Tracking the lifecycle of security incidents. This is likely related to collective skills, processes, and tools deficiencies. For example, IT trouble ticketing systems often lack the functionality necessary for tracking malware or performing forensic investigations. When security incidents are discovered, security teams can’t always track the remediation progress of IT ops. In some cases, security and IT operations teams simply don’t work well together. Without sound incident lifecycle tracking, it’s simply impossible to monitor, measure, and adjust cybersecurity performance.

Tackling the Cybersecurity Job Gap

A study of almost 20,000 cybersecurity professionals worldwide indicates that the percentage of women in the industry has barely changed since 2004. Women comprise only 8% of the UK cybersecurity profession and 11% of the global workforce.  The study comes from The Center's Global Information Security Workforce Study, sponsored by Booz Allen Hamilton. 

It's projected that by 2022, there will be a shortfall of 1.8 million cybersecurity professionals. Whilst there are a myriad of factors that affect industry-specific job growth, it's clear that a drive to increase female interest in cybersecurity would have a dramatic impact on the reported skills shortage. 

IT governance suggests that the problem starts with education.  

A miniscule 0.6% of recent graduates (2012-2013) are currently working in cyber security. These statistics strengthen the belief held by many industry experts that the cause of the skills gap originates from schools.

To start closing the skills gap, schools and universities need to put a much stronger emphasis on cyber security. It shouldn’t go unnoticed that schools are trying, but often they aren’t aware of the threats that come with new technology.

At IT Governance, we always recommend that studying for the CISMP and CompTIA Security+ qualifications provides the ideal transition from experienced IT professional to useful cyber security professional.

Building a competent cybersecurity division in house can be an expensive investment. If you want an affordable, highly skilled and technical solution (such as FGX-Web) get in touch so we can help. If you’re concerned about the state of your website, try out our external malware scanner, its free and easy to use.