Developing and optimizing cybersecurity staff has been listed by a research firm as the top security priority for organizations over the next 12 months for the second year in a row.
The recommendation came in the release this week of Info-Tech Research Group’s Security Priorities 2024 report.
The five priorities were chosen from a combination of the results of surveys and interviews with leaders, plus Info-Tech Research’s decisions.
The other priorities that management, IT, and infosec leaders should set this year are:
— securing the AI revolution;
— embedding security risk management with the enterprise;
— putting a zero trust strategy into operation;
— and automating security processes.
The choice to make talent development and hiring the number one priority should come as no surprise. It topped the cybersecurity concerns named by 573 leaders surveyed last year — the third year in a row it led the survey.
This year it was closely followed by the rising cost and high requirements of cyber insurance, vulnerabilities in the IT systems of suppliers and executives or boards not sufficiently aware of cyber risks.
“Security leaders still emphasize the priority of spending on training and development, but there’s still a shortage of workers in the industry,” Ahmad Jowhar, lead analyst for the report, said in an interview.
“Investing in your employees will yield long-term cost savings.”
The report concedes that there has been some progress for organizations in finding the right security talent. However, it adds, “the constant concern indicates the need for an innovative approach that organizations should adopt to assist in mitigating the talent shortage gap.”
The right talent could be closer than you think, the report notes, Many organizations have employees whose skills and interests equip them to be developed into cybersecurity professionals.
The report points out that a recent survey of more than 14,000 infosec pros by ISC2 (the International Information System Security Certification Consortium) found 52 per cent of respondents said they began their careers in a non-cybersecurity IT position.
“This indicates an opportunity to leverage those transferable skills in a security role, which would enable organizations to stay competitive while also enabling continuous personal development for their employees,” the report says.
The report estimates 58 per cent of worker shortages can be mitigated by upskilling competency gaps.
To help with the talent shortage the report says organizations should:
• define the competencies needed to support the security program;
• assess employees’ current proficiency levels across defined competencies;
• prioritize competencies against known organizational priorities;
• acquire competencies through available learning and development tools and resources;
• and enable continuous improvement of employee proficiency by periodically reviewing competency gaps.
Asked why some organizations may not yet have a zero-trust strategy although the approach is several years old, Jowhar said these firms may feel a lot of work is needed to make the concept reality. That’s why Info-Tech recommends IT leaders break up the work into four manageable chunks, he said.
The purpose of the report is to give organizations a high-level idea of where their security investments should go this year, Jowhar said.
Infosec leaders could also take the recommendations to their stakeholders to either obtain some buy-in or give them an idea of what an advisory firm says should be their priorities, he added.