In response to a long trend of insufficient cybersecurity development in state and local government, a nonprofit membership association released a study Wednesday revealing a significant decline in institutions’ abilities to defend against cyberattacks.
The study, titled IT Professionals are a Critically Underutilized Resource for Cybersecurity, was conducted by the International Information System Security Certification Consortium (ISC2) and provides surveyed data from 3,300 IT professionals — 877 of whom were U.S. government respondents. According to the study, most enterprises and government agencies lack a skilled number of cybersecurity professionals on staff and are receding in their ability to identify and recover from cyberattacks.
Of the U.S. government respondents surveyed, ISC2 found that 53 percent say their systems are less able to defend against a cyberattack compared to a year ago. This issue indicates a continuing retreat in how government agencies are approaching cybersecurity.
In recent months, state governments have tried to practice new methods of bolstering their IT workforces by offering high school students’ access to cyber education platforms, adopting frameworks to standardize cybersecurity language, and even enrolling the help of volunteers.
Despite these efforts, the data produced by ISC2’s study shows that state governments see struggles everywhere in cybersecurity, with 38 percent saying their organizations don’t provide adequate resources for security training, and 68 percent claiming their organizations don’t have enough cybersecurity team members.
A primary source of this issue, as outlined in the study, is an inefficient approach to staffing. ISC2 describes the organizations’ attitudes toward cybersecurity training and development as “problematic.” This attitude, the study suggests, has led to an unrealistic expectation from organizations to hire employees who already have the required expertise instead of developing their current team members.
“Considering the evolving nature of the threat landscape, hiring people with all the requisite experience is a challenging prospect,” the report says. “Even experienced security pros need constant refresh because the threat landscape changes rapidly.”
Another source of poor cybersecurity staffing, according to the study, is a lack of financial investment in training. The data found that an underwhelming portion of all respondents — 34 percent — receive paid training from their employers, with 29 percent saying that their employers split the cost and 34 percent reporting that they are required to pay for the training in full. Investing in cybersecurity isn’t only beneficial for preventing attacks, says the group, but it also improves employee retention.
To entities that don’t see cybersecurity as an immediate threat, the study asserts that cybersecurity is probably a threat nonetheless.
“This is a serious concern because some advanced malware variants are designed to hide undetected in networks, quietly siphoning off data to hackers’ command and control servers,” the report states.
In light of these findings, ISC2 announced recent modifications to its Systems Security Certified Practitioner (SSCP) certification, which covers subjects including: security operations and administration, risk identification, incident response and recovery, network and communications security, and cryptography.
The prerequisites for this certification have been reduced to streamline the path to certification. The SSCP certification now requires a degree in cybersecurity or computer science from an accredited college or university — as opposed to earlier prerequisite standards, which consisted of both a degree and a year of full-time, paid professional experience.
In its report, ISC2 urges organizations to pursue professional development and training for IT professionals and cybersecurity specialists, claiming that “leadership in the public and private sector needs to realize that IT staffers are dramatically underutilized when it comes to cybersecurity.”