Only one-third of US, UK companies use an infosec professional

Nearly half of US and UK companies do not have access to an in-house cyber-security professional within their IT department, according to a recent survey.

How professional is your cyber-defence?
How professional is your cyber-defence?

Only 29 percent of IT professionals at midsize and enterprise organisations in the US and UK said an in-house cyber-security professional works in their IT department, and 55 percent of the IT pros said they do not have regular access to either an in-house or third-party cyber-security professional. 

That was the findings of a survey by IT software firm Spiceworks which pointed to the severity of the cyber-security skills shortage.  

Only seven percent of IT pros said their company has a cyber-security professional on its executive team. A separate poll conducted by Spiceworks in May supports these findings. In that study, 67 percent of IT professionals said they possess no information security certifications.

Among companies that do not have an in-house security professional, most participants said they expect their company plans to hire or contract a cyber-security professional in the next 12 months.

However, the decision to retain cyber-security personnel is easier said than done, as many employers report difficulty finding qualified information security candidates to fill positions due to the skills gap.

“With more organisations competing for the same talent, we're starting to see a severe shortage, which is just going to get worse," wrote Sean Costello, senior vice president of North America at Experis. “Companies need to get ahead of this trend and start thinking more about development and how they will resource their growing talent needs going forward.”

The lack of skilled cyber-security personnel has led to unfortunate consequences at the companies that do not retain cyber-security professionals. According to a survey published Tuesday by Skyhigh Networks and the Cloud Security Alliance, nearly 30 percent of information technology professionals have admitted to ignoring security alerts due to the high volume of false positives.

“You've seen a lot of well-known companies that have experienced leaked data or a breach,” Spiceworks IT analyst Peter Tsai told SCMagazine.com. In many cases, companies received significant fines because they did not adhere to industry standards, he noted.

“Hiring somebody who is well-versed in information security is needed,” Tsai said, although he noted that education of all employees within an organisation is also essential. “The end user is always the weakest link in the chain."