List: Insurance, knowledge gaps also need addressing
Global HR and recruitment firm Harvey Nash has released its second annual report looking at the current state of the cyber security industry, which it put together alongside PGI Cyber Security.
The survey spoke to cyber security professionals, and revealed that some worrying gaps in knowledge, skills and resources still exist within organisations in tackling the ever growing threat of cyber security.
What is also clear is that while still in demand, top engineering skills are no longer enough in the industry, business acumen is required too.
Stephanie Crates, Head of Information Security Practice – London, at Harvey Nash, said: "Increasingly companies are looking for people who are able to influence, persuade and educate as much they can design, build and test."
Here are some of the key points from the survey.
1. Cyber professionals believe their CEO have major knowledge gap
54% of boards are ultimately responsible for cyber strategy, the majority of cyber security professionals report to a C-Level executive, and 87% of cyber security professionals believe that senior-level buy-in is critical to security success.
Despite all this, and even with the growing realisation in the C-Suite and board room that they need to take the lead in dealing with cyber attacks, 33% of cyber security professionals thought that their CEO had a major gap in their knowledge.
Somewhat reassuringly, CIOs and CTO’s are believed to be the most informed about information security, by 54% and 48% of cyber security professionals respectively.
2. Cyber security professionals still think there is more for their firm to do
The survey found that while most do feel that their organisation have the basics of cyber security covered, a considerable percentage, 85%, still think there is more that their firm can do.
More worryingly, over one quarter, 26%, believe that there is significantly more work to do revealing major gaps in the security landscape that leave both firms and their customers vulnerable to cyber attacks.
A good demonstration of the gaps in strategy is that only 11% said their firm tested its incident response process monthly, with over half testing yearly or less frequently.
The top three factors holding back the cyber security strategy according to the survey were the budget, which was selected by 57% of respondents, not having a security aware culture, selected by 49% of respondents, and a lack of understanding of the real threat which was cited by 43%.
3. Skills shortage remains
The skills gap for those already in the industry around technical skills has long been known. However, as cyber security becomes an increasing corporate concern, cyber security professionals are increasingly worried that they do not have the business skills required to implement a robust cyber security strategy either. 38% of cyber leaders said that they do not have the internal skills to achieve their security strategy.
43% of respondents said they were lacking training and awareness skills, and 38% were lacking project managers and leaders.
The demand for technical skills continues unabated too, with 50% saying they were looking to hire security architects, a 6% rise from the year before, making it the fastest growing information security skill.
Other highly in demand skills were security training and awareness (wanted by 42% of hiring managers), senior information security leaders (39%), SCO analyst (34%) and security engineering (33%).
4. Firms still don’t have Cyber Insurance
Another worrying discovery is that less than one fifth of firm’s with revenue of £50m or less have taken out cyber insurance to protect themselves in the case they are breached. Things are not much better with larger firms either, as only 29% of mid sized firms, and 24% of large firms have cyber insurance.
Almost half of the security professionals surveyed did not expect their firm to take out such insurance in the future, with 48% of all senior information security professionals saying they have no plans to invest in cyber insurance during 2016.
5. Women in cyber security earn more than men
The survey found that the average salary for an information security professional is slightly under £100,000. The average base salary for a CISO is £125,962, for a Head of Information Security Manager it is £90,714, and for an Information Security Manager it is £71,538.
In an IT rarity, women are actually paid more than men in cyber security. The average base salary for a male cyber security professional is £97, 619, while for a woman it is £115,714. The report says that the smaller pool of women means that those in the industry "can expect to command a salary premium, especially for senior roles."