2016 ESG ISSA Cyber Security Survey Part II

Research Reveals “Human” Issues as Top Cyber Security and Business Risk

Milford, MA and Reston, VA – December 12, 2016 – Building on the conclusions of the recent ground-breaking global study finding that the cybersecurity profession is at risk, the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) revealed today new cyber security and business risks in Part II of their joint study.

In aggregate 54% cyber security professionals surveyed admitted that their organization experienced at least one type of security event over the past year and the clear majority (92%) believe that an average organization is vulnerable to some type of cyber-attack or data breach. Yet, surprisingly, none of the top contributors are related to cyber technology. Rather they point to human issues such as a lack of enough cyber security staff members as well as a lack of employee training and boardroom prioritization.

Further supporting this finding, 69% of cyber security professionals say the global cyber security skills shortage has had an impact on the organization they work for leading to excessive workloads, inappropriate skill levels, high turnover and an acute shortage especially in the areas of security analytics, application security, and cloud security.

More From This Series

In this time with fluid world events, such as the U.S presidential transition, cyber security professionals surveyed also send a strong message to national government: The vast majority of believe that their nation’s critical infrastructure is extremely vulnerable or vulnerable to some type of significant cyber-attack and they want government more involved in cyber security strategies and defenses. Going further they recommend specific government actions that include providing better ways to share security information with the private sector, incentives to organizations that improve cyber security, and funding for cyber security training and education.

There’s lots of research indicating a global cyber security skills shortage but there was almost nothing that looked at the associated ramifications. Based upon the two ESG/ISSA reports, we now know that beyond the personnel shortage alone, cyber security professionals aren’t receiving appropriate levels of training, face an increasing workload, and don’t always receive adequate support from the business. Simply stated, these findings represent an existential threat. How can we expect cyber security professionals to mitigate risk and stay ahead of cyber threats when they are understaffed, underskilled, and burned-out?

Jon Oltsik, Senior Principal Analyst at the Enterprise Strategy Group (ESG)

Based upon the data collected from the first global survey to capture the voice of cyber security professionals on the state of their profession, this final report of the two-part series, titled “Through the Eyes of Cyber Security Professionals: Annual Research Report (Part II),” concludes:

  • People and organizations issues contribute to the onslaught of security incidents. Nearly one-third (31%) of cyber security professionals say that the cyber security team is not large enough for the size of their organization, 26% point to a lack of training for nontechnical employees, and 21% say that business and executive management tend to treat cyber security as a low priority. This data is especially troubling as it suggests that many organizations continue to lack a proportional commitment to cyber security.
  • Most organizations are feeling the effect of the global cyber security skills shortage. Sixty-nine percent of cyber security professionals say that the global cyber security skills shortage has had an impact on the organization they work for. What type of impact? More than half (54%) say the cyber security skills shortage has resulted in an increasing workload on existing staff, 35% say it has forced them to hire and train junior employees rather than bring on more experienced cyber security professionals, and 35% say that the cyber security skills shortage has led to the inability to learn or fully utilize some of their security technologies.
  • Cyber security professionals have several suggestions to help improve the current situation. Cyber security professionals were asked what type of cyber security actions would be most beneficial to help their organizations. Forty-one percent suggested increasing the cyber security budget, 40% proposed adding cyber security goals and metrics to business and IT managers’ objectives, 39% recommended increasing cyber security training for non-technical employees, and 39% advised hiring more cyber security professionals.
  • Critical infrastructure is very vulnerable to cyber-attacks. A majority (62%) of cyber security professionals believe that their country’s critical infrastructure services like electric power, telecommunications, and water are very vulnerable to some type of significant cyber-attack.
  • Government cyber security tends to be incoherent and incomplete. More than one fourth (26%) of cyber security professionals surveyed say that their country’s cyber security strategy is extremely unclear and not at all thorough while another 37% claim that their country’s cyber security strategy is somewhat unclear and not very thorough. This leads to an obvious conclusion: If cyber security professionals don’t understand their country’s cyber security strategy, who does?
  • Cyber security professionals want more help from their governments. More than half (57%) of cyber security professionals believe that their government should be significantly more active with cyber security strategy and defense while another 32% say that their government should be somewhat more active with cyber security strategy and defense.

“The results gleaned from this research are both alarming and enlightening. Alarming in the sense that if we don’t collectively pay attention to the cries for help, we will put businesses unnecessarily at risk. Enlightening in that organizations need to be willing to invest in their cyber security professionals, with clearly defined career paths and skills development in order to hire and retain qualified employees,” said Candy Alexander, Cyber Security Consultant and ISSA’s Chair of the Cyber Security Career Lifecycle. “This research data will help the ISSA and other professional groups to clearly define career paths for our profession.”

The report also lays out the “Top 5 Research Implications” as a guideline for cyber security professionals and the organizations they work for. Added Oltsik, “Assume your organization will experience one or several cyber-attacks or data breaches and take the cyber security skills shortage into account as part of every initiative and decision. Push for more all-inclusive cyber security training and, as importantly, get involved in educating and lobbying business executives and lobby government legislators alike.”

Scroll down to download the full version of Part II.

Click on the link for Part I of the ESG ISSA 2016 Cyber Security Survey.


With over 437 information security professionals surveyed, representing organizations of all sizes and professionals located in all parts of the world, the research titled, “The State of Cyber Security Professional Careers (Part I): An Annual Research Project (Part I)” is a cooperative research project by ESG and ISSA and the first global survey focused on the lifecycle of cyber security professional careers. Part II in the series concentrates on cyber security professionals’ opinions about their organizations’ cyber security practices as well as the overall state of cyber security.

Leave a Comment

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy

Scroll to Top