解决网络技能缺口+Tackling+The+Cyber+Skills+Gap

TACKLING

THECYBERSKILLSGAP

GlobalCyberSecurityReport2023

Expertsin

Technology

CONTENTS

03—IntroductionJamesMilligan,GlobalHeadofTechnologySolutions

04—Aboutthesurvey

05—OrganisationReportingstructure,attackexperiencesandstrategy

06—InvestmentShareofbudgetandchangestospendfor2023

07—HiringIn-demandskillsandrecruitingtalent

08—RetentionandskillsRetainingandupskillingexistingtalent

09—TheHaysview

10—CyberintheSpotlightvideoseries

11—Nextsteps

2|GlobalCyberSecurityReport2023

3|GlobalCyberSecurityReport2023

INTRODUCTION

THEDEMANDFORCYBERSKILLS

Whileitwasalreadybecominganecessityforthevastmajority

oforganisations,recenteventshavemeantthattherateofdigital

transformationhasacceleratedoverthelastthreeyears.Thatmeansanincreaseindatamanagement,whilehybridandremoteworkingmeansthatworkersneedsecureaccesstotheiremployers’servers.These

changeshaveaffordedthreatactorsgreateropportunitiestoexploitorganisationsandinfrastructurethaneverbefore,aswellasprovidedaddedmotive.

Allofthishasmeantthatthedemandforpeoplewithcybersecurity

skillshasincreased.AtHays,weplacedover750peopleintorolesin

2022asorganisationssoughtthetalentneededtoimplementtheir

defencestrategies.However,asthisdemandoutweighsthesupplyof

peoplewithexperienceoraccreditationsincybersecurity,it’snotalwaysstraightforwardtofillthoseroles.

Isthisskillsshortageaffectingorganisationssignificantly?And,ifso,how?

Thisiswhywe’vedecidedthatit’stherighttimetocreateourfirstglobalreport.Ourstudy,carriedoutinthefinalmonthsof2022,aimedtoexplorehoworganisationsaroundtheworldhaveadaptedtheircybersecurity

strategytotackletoday’sthreats,aswellasthechallengesthey’vefacedindoingso.Bysurveyingsecurityleadersfromacrossseveralindustriesandsenioritylevels,wewantedtodiscoverwhichfactorswereimpactingtheirabilitytohireandretaintalent,andwhetherthelevelofinvestmentfrom

theirorganisationismeetingtheirneeds.

Themostrevealingfindingwastheextenttowhichorganisationshavebeenimpactedbythelackofqualifiedcandidatesincybersecurity.

Overall,90percentofleaderssaidtheskillsgaphadaffectedtheirabilitytoimplementtheircybersecuritystrategy.

It’snotbeeneasytoaddress,either.Hiringtalentisanissue,withroughlytwothirdsofleadersadmittingthattheydonotratetheirorganisation’s

abilitytorecruitpeopleworkingincybersecurityhighly.Findingincentivestoretainandtrainyourexistingtalentbecomesevenmoreimportant,

especiallyastheyreceiveoffersfromorganisationsfacingthesameproblem.Providinglearningresourcesisattractivetoemployeesand,giventhebenefitsitbringstoanorganisation’scybersecuritystrategy,theinvestmentisworthit.

Despitethis,manyofourrespondentswereconcernedaboutthefundsbeingallocatedtocybersecuritywithintheirorganisation.Although

companieshavereactedtoglobaleventsbyputtingmoremoneyintosecurity,almosthalfofleadersexpectminimalchangetotheirbudgetin2023.

Ourstudyhasshownthatfindingandhiringtherighttalentisasignificantchallengeforbusinessesglobally,andthatthelackofskillsisaffectingsecurity.What’sthesolution?

90%ofleaderssaidtheskillsgap

hadaffectedtheirabilitytoimplementtheircybersecuritystrategy.

AtHays,weliketotalkaboutundiscoveredtalent.Ononehand,these

mightbepeopleouttherewhodon’thavetheexactexperiencethat

organisationsareseeking,butwouldbeahugeassetifthey’reopento

training.Ontheotherhand,undiscoveredtalentmayalsorefertothosewhoaren’tgiventhesameopportunitiesastheirpeersineithereducationortheworldofwork,butcanbringplentytoyourorganisation.Inadditiontopeoplecomingfromalowsocio-economicbackground,therearealso

thoseweaimtohelpthroughour

FocusingOnEmploymentInequity

report

,suchasthoselivingwithadisabilityoryoungpeoplestrugglingtostartonthecareerladder.

Inthisreport,you’llfindinsightsonallofthechallengesthatcyber

securityleadersarefacingin2023,fromprotectingtheirorganisationtoretainingtrainedemployees.Ifyouarehavingsimilarexperiencestoourrespondents,we’vealsosuggestedsomestepsthatyoucantaketoensuresustainablecybersecuritysuccess.

Lastly,I’dliketothankalloftherespondentswhotookthetimeto

completeoursurvey.Withoutyourhelp,wewouldnotbeabletoprovidetheseinsights.

JamesMilligan

GlobalHeadofTechnologySolutions,Hays

ABOUTTHESURVEY

Wecarriedoutourresearchacross29countries,surveyingover1,000cybersecurityleaders.Thestudyexploredhoworganisationsarerespondingtorecentglobalevents,theirinvestmentincybersecurity,theirchallengesinhiringandretainingstaff,aswellastheskillsourrespondentssoughtandhowtheseweredevelopedamongtheworkforce.

Whenexaminingthedata,weinvestigatedwhethertherewereanydiscrepanciesfromregiontoregion,inordertoprovidelocalinsights.However,ouranalysisrevealedlittletonovariation-thefindingsinthisreportreflectwhatishappeningaroundtheglobe,asleadersfacethesamechallengesandturntothesamesolutions.

UKIandEMEA

•Austria

•Belgium

•CzechRepublic

•France

•Germany

•Hungary

•Ireland

•Italy

•Luxembourg

•Poland

•Portugal

•SaudiArabia

•Spain

•Sweden

•Switzerland•UK

•UAE

Americas

•Brazil

•Canada

•Chile

•Colombia

•Mexico•USA

AsiaandANZ

•Australia

•China

•Japan

•Malaysia

•NewZealand

•Singapore

4|GlobalCyberSecurityReport2023

Employeesatourrespondents’organisations

5,000+

37%

101-1,000

25%

Senioritylevelofourrespondents

C-suite

16%

Director

24%

Manager

50%

1,001-5,000

21%

0-100

17%

10%

VP

experienced?

Whattypeofattackshave

Cybersecurityteamsarenotalwayspositionedstrategically

you

Manyleadersreportthatrecentglobalevents,suchasgeo-political

Phishing

84%

Malware/Virus

48%

34%

External

46%

ofleadersdonotbelievethattheircybersecurityteamreportsintotherightpartoftheirorganisation

Ransomware

31%

DataLoss/Theft

30%

Thepandemicandgeo-politicalclimatehaveaffectedorganisations’security

72%

ofleadersfeelthatrecent

globaleventshavehada

‘Major’or‘Moderate’impactontheirorganisation’scyberriskprofile

5|GlobalCyberSecurityReport2023

conflictsandthepandemic,haveaffectedthecyberriskprofileattheirorganisation.

Thepandemicinparticularhasacceleratedtheneedfordigital

transformation,whichhasgivengreateropportunitiestocyber

criminals-84percentofleadersreportingthattheirorganisation

experiencedaphishingattackin2022.Employeeshavehadto

becomesavvierasaresult,with77percentofleadersreportingthatcybersecurityawarenessisgreaterthanitwasthreeyearsago.

Organisationshavehadtorespondswiftlytocombatpotentialthreats,butincorporatingcybersecurityintotheirstrategyhasnotbeena

naturalprocessforeveryone.Athirdofleadersdonotagreethat

cybersecuritysitsinthecorrectreportinglinewithintheirbusiness.

77%

ofleadersstatethatsecurityawarenessintheirorganisationisgreaterthanin2019

ORGANISATION

Inordertogaininsightsintohoworganisationsarerespondingtocyberthreats,

weneededtounderstandhowtheyarebeingaffectedandwheretheirsecurityteam

fitsinthereportingline.

Obtaininginvestmentincybersecurityhasbeeneasiersincethepandemic

Whatisyourorganisation’sannualspendincybersecurityinproportiontoITbudget?

Withsecurityaconcernacrosstheglobe,leadersarelookingfora

0-2%

Stronglyagree

14%

11%

3-4%

Agree

15%

34%

Neutral

5-6%

18%

37%

Disagree

7-8%

10%

14%

Stronglydisagree

3%

N/A

1%

9-10%

21%

11%+

22%

Investmentisnotnecessarilyalignedwithsecurityleaders’needs

47%

ofleadersexpect“Minimalchange”totheirbudget

in2023

6|GlobalCyberSecurityReport2023

financialcommitmentfromtheirorganisation.Overafifthofour

respondentsreportthatatleasttenpercentoftheirorganisation’sITspendisallocatedtosecurity.

However,whileonly17percentofleadersdisagreewiththestatementthatinvestmentincybersecurityhasbeeneasiertoreceivesince

thepandemic,almosthalfexpectminimalchangetotheirbudgetin2023.Asaresult,thereisaconcernoverwhetherinvestmentincybersecuritywillbesufficientfortacklingtoday’sthreats.

68%

ofleadersare“Extremely”,“Very”,or“Moderately”

concernedabouttheirbudgetin2023

INVESTMENT

Wewantedtoexplorehoworganisationsareinvestingincybersecurity,andwhethertheirbudgethasincreasedasaresultofglobaleventsandtrends.

seek

skills

front-line

recruitcybersecuritytalent

Organisations

Organisationsstruggleto

Topfivechallengesinhiringtalent

Whenaskedwhatwouldimprovethesecuritycapabilityattheir

organisation,leadersmostlynamedskillsthatwouldreinforce

thefrontlineofdefence,suchascloudsecurityandarchitecture.

Thisalignswithourowninsights,asgloballywe’reseeinghighestdemandforengineersandarchitects.However,thechallengeistofindworkerswiththeknowledgeandexperiencerequiredtofillroleswithintheirorganisation.

Meanwhile,leadersfacecompetitioninhiringthosewiththerightcredentials,who,inturn,areabletodemandahighersalary.Infact,twothirdsofleadersdonotratetheirabilitytoattractcybersecuritytalenthighly.

Thismeansthatorganisationsmustlookforunexploredoruntrainedtalent,anapproachthattheyareopento.Overhalfoftheleaders

surveyedstatethattheyarelikelytohireworkerswhodon’tholdformalaccreditations.

“Two-thirdsofleadersdonot

ratetheirabilitytoattractcybersecuritytalenthighly.”

7|GlobalCyberSecurityReport2023

1Salaryexpectation

2Missingskills

3Competition

4Lengthofworkingexperience

5Lackofexperienceatasimilarorganisation

Topfiveskills/implementationsthatwouldenhancesecuritycapability

1Cloudsecurity

2Governance,RiskandCompliance

3SecurityArchitecture

4SecurityEngineering

5

SIEM/SOC

HIRING

Withtheskillsgapposingproblemsintech,wewantedtounderstandthechallengesthat

organisationsfaceinrecruitingtalent.

66%

ofleadersdonotrate

theirorganisation’sability

toattractcybersecurity

talenthighly

talent

turning

Employersare

tounexplored

56%

ofleadersarelikelyto

recruitsomebodywithout

formalITsecurity

accreditations

Theshortageinskillsishavinganimpactacrosstheboard,with90percentofleadersrevealingthatithasaffectedtheirsecurityimplementation.Iftheexperiencedtalentisn’treadilyavailable,organisationsmustfindnewwaystofilltheseroles.

Inordertoclosetheskillsgap,leadersbelieveupskillingand

cross-trainingtheirteammembers(i.e.teachingthemhowtoperforminnewroles)arethebestroutestosuccess.Indeed,manyleaders

reportthattheirorganisationinvestsintrainingemployees;however,thisinvestmentdoesnotstretchtoretainingtheirexistingtalent,as

employersinsteadofferwork-lifebalanceperksovermonetaryreward.

RETENTION&SKILLS

Inadditiontohiring,howareorganisationsretainingexistingtalent

andequippingthemwiththeskillstheyneed?

Skillsshortages

areaffectingsecurity

90%

ofleadersbelieveaskills

shortagehasimpactedtheirabilitytoimplementtheir

cybersecuritystrategy

“Manyleadersreportthattheirorganisationinvestsintrainingemployees;however,this

investmentdoesnotstretchtoretainingtheirexistingtalent”

8|GlobalCyberSecurityReport2023

Skillsdevelopmentisusedforthebenefitoforganisationsandworkersalike

Topfivestrategiestoclosethecybersecurityskillsgap

1Upskilling

2Cross-training

3Recruitmentpartner

4Hire,trainanddeploy

5Universityoutreach

Topfivestrategiesforcybersecuritytalentretention

1Remoteandhybridworkingarrangements

2Work-lifebalance/Wellnessoffering

3Flexiblehours

4Professionaldevelopmentopportunities

5Careergrowth&progression

It’snecessarytoequiptheworkforcewithnewskills

71%

ofleaderssaythattheir

organisationinvests

inupskillingitscyber

securityworkforce

THEHAYSVIEW

Haysexpertsgivetheirthoughtsonthefindingsinourreport

andwhattheymeanforleadersin2023.

EdmondPang

Director,CyberSecurity,APAC

Similartothegloballandscape,thereis

nosurprisethatcyberthreatshaveincreasedintheAPACregiongivenCOVIDlockdownsbeingtheperfectstorm,withsomehigh-profile

breacheshighlightedinthemedia.Asaresult,we’reseeingcountriessteppingupwiththeirpoliciesandinvestmentintocyber.

Forexample,Australiahasincreasedpenaltiesforbusinessesthatdonotsufficientlyprotectcustomerdata,whiletheSecurityOfCritical

InfrastructureAct(SOCI)hasbeenamendedtostrengthenthesecurityandresilienceofcriticalinfrastructure.NewZealandhasupdatedandfinalisedtheNewZealandInformationSecurityManual(NZISM)withfourpolicychangesinSeptember2022.Japanhassteppedupon

regulatoryrequirementsinindustriessuchasBankingandInsurance,andtheMalaysiangovernmenthasannouncedincreasedfundingsintotheTech&Cybersecurityspace.

Overall,theAPACcybermarketwillcontinuetobehotbutthereare

extremechallengesrelatedtotheconstantwarfortalents.Apartfromthetypicalsecurityroles,wehaveseenanincreasedneedfortalents

withinGRC,CTi,IAMandSecurityForensicsacrosstheregion,butagainalackofsuitabletalentswithinthemarket.

JamesWalsh

Director,CyberSecurity,UK&Ireland

Asacrosstherestoftheglobe,thecyberthreattoUK&Iorganisationshasbeengrowingexponentially.Thereisabattletocombatavarietyofthreatactorsacrossallsectorsand,everincreasingly,awarfor

talenttoo.

Asanindustry,wehavetolookmoreatbringingindiversetalent

poolsthatofferdifferentskillsandapproachestotackletheproblems.Apositivefromthereportisthatover70percentoforganisationsinvestinupskillingtheircyberprofessionals.ThroughourPermanent,Contract,StatementofWorkandHireTrainDeployoffering,wearehelping

organisationstoimprovetheirsecuritypostureanddiversity.

MiguelDuran

Director,CyberSecurity,NorthAmerica

MichaelBeaupre

HeadofCyberSecuritySolutions,EMEA&DACH

Cybercrimetearsthroughourliveslikearagingstormanddoesnot

discriminate.Itcandevastateanycompanyanywhere.Fromsmalllocalbusinessestolargeglobalenterprisesandeverythinginbetween.

Arewecollectivelypreparedtoweatherthesecyberstorms?Themajority

ofemployersarestrugglingtohiretoptalentandseethisgapasasignificantrisktotheircybersecuritystrategies.Wemustpartnerasacommunity

anddevelopnewandinnovativewaystoattract,train,andretaincybersecuritytalent.

Overtwo-thirdsofsecurityleaderspolledaroundtheworldareworriedabouttheirbudget,andwemustjointlyoptimiseourinvestmentsin

cybersecuritytechnologyandcapability.Thismeansworkingtogetherwithcybersecurityprovidersandtalentprovidersonabroadscaleandengagingboardlevelleaderstoidentifythemostcriticalassetsineachcompany.Wecan’taffordtoprotecteverything,andwemustprioritisebasedonrisk,resiliency,andoperationalrelevance.

Understandingthatweareallinthisfighttogetherandthechallengeswefacearenotuniquetoourcountriesorourindustrieshelpsussharesolutionsandcapabilitiesacrossboundaries.Cybercriminalsknownoboundaries,andourresponsesshouldharmoniseacrossborders.

IamveryexcitedforthisinauguralreleaseoftheHaysGlobalCyber

SecurityReport.Withtheever-growingdemandinthemarket,weat

Hayswantedtoprovideacomprehensivedeepdiveintotheglobalandregionalchallengessecurityleadersfaceandhowkeyglobaleventshaveaffectedthethreatlandscape,alongwithhowtoadaptandovercomeinaheightenedskill-shortageeconomy.

This,alongwithourannualsalaryguide,willbeagreattoolforcyberleaderstouse,andhelpovercomeinternalconversationsaroundhowtopivotinthisfluidstatewearecurrentlyin.

Asanindustry,wehavetolook

moreatbringingindiversetalentpoolsthatofferdifferentskillsandapproachestotackletheproblems.

9|GlobalCyberSecurityReport2023

CYBERINTHESPOTLIGHTVIDEOSERIES

InourYouTubemini-series,wespoketocybersecurityleadersworldwidetogaininsights

intothewaytheywork,thechangesthey’reseeingandthechallengestheynavigate.

DeepayanChanda

PrincipalCybersecurityArchitect,Lab49

Withthisconstantskillsshortagechallenge,ITcertificationsoranykindofeducationincybersecuritydoplayavaluablerole.However,inordertogetthemostvalueoutofcertifications,peopleshouldalignthesewiththecareerpaththey’rechoosing.Ibelievethatmostcertificationsarenotdependentonlocation.

Therearemultiplethingswecandotohireandretaintalent.Letthe

candidateoremployeeknowwhattheroleisallabout–thereshouldbenoambiguityintheroledefinition.Keepaneyeonmarkettrends,

ascompensationdoesplayahugepartinretainingtalentonacase-by-casebasis.Lastly,andpossiblythemostimportant:empowertheroleitself.Peoplewanttoseetheimpactoftheworktheyaredoingand,ifthatisnotvisible,thenit’sreallyachallengetokeeptalent.

Watchthefullinterviewhere

fenerg

NiamhMuldoon

CISO,Fenergo

Attractingtalentisonething,retainingtalentissomethingdifferent.It’suptoaCISOtoretaintoptalent.It’saboutunderstandingwherepeoplewanttogointheircareerandfuellingthemwiththeskillset,expertiseandexperiencetogetthere.Peopleneedtoknowthebigpictureandunderstandwhattheycangetintermsofopportunitiesfromtheirorganisation.

We’reveryfocusedontechnology.Ifyoutakeastepbackandlookat

whatinformationisallabout,it’sconfidentiality,integrityandavailabilityofdata.Theopportunitythereistothinkaboutsecurityinawider

context,andnotjustfocusontechnology.

Watchthefullinterviewhere

10|GlobalCyberSecurityReport2023

RonBushar

SeniorVPandGlobalGovernmentCTO,Mandiant

Inthesamewaythatthere’saglobalarmsraceincyber,there’saglobaltalentraceinthesamedimension.

We’verecognisedthatyoucan’tcontinuetotaketheapproachof,“Ionlywantthebestpersonincyberintelligence,Ionlywantthebestincidentresponseguyintheworldetc.”There’sonlyafewofthose,sowehavetoshiftourthinkingaroundhowtotrainandequipthenextgeneration.

Don’tjustlookatsomebody’sresumeandsay,“theydon’thave20years

ofexperienceandadegreeincybersecurity,sothey’renogood”.Itis

soimportanttoembracediversity,expandyourapertureofwhoyou’re

attractingtocometotheorganisationandthentakethetimetotrainthem.

Ican’ttellyouhowmanycandidatescomethroughthatyouwouldsay

don’thavethetraditionalexperience,buthavebeenabletocomeintoarole,trainwithexpertsinthefieldandquicklybecomeextremelycapable.

Watchthefullinterviewhere

Itissoimportanttoembracediversity,expandyourapertureofwhoyou’re

attractingtocometotheorganisationandthentakethetimetotrainthem.

NEXTSTEPS

Thisreporthashighlightedthattheskillsshortageincybersecurityishaving

animpactonorganisations’defencestrategies.Withthisskillsgapposing

aproblemformanycybersecurityleaderswhoarehiring,it’simportantthat

organisationsfindaneffectivesolution.Herearesomerecommendations

wehavefornextsteps:

Considerunexploredtalent

Althoughtheymaynothavetheexperienceorcompleteskillset,therearepeopleouttherewiththelearningmindsettohelpyourbusiness.Broadenyoursearchandthinkabouttherelevantskillsanyrecruitswouldneedandwhichtheycouldbuilduponwiththerighttraining.

Similarly,there’stalentwiththeskillsyou’rel