Budget shortages and bad management impact staff retention

News by SC Staff

Increases in security budgets are lagging behind the racing growth in threat levels, finds a survey by the Chartered Institute of Information Security

Cyber-attacks hit an all-time high last year.Yet, organisations are still suffering from a lack of budget to strengthen their security measures and train their employees, according to the Chartered Institute of Information Security.

The annual survey of the information security profession by the chartered institute (previously known as the IISP) reports that 62 percent of respondents said their budget increase for security in 2018 was below threat levels. That’s up from 54 percent giving the same response in 2017.

A survey of cyber-security professionals in the financial services industry (FSI) by Synopsys Cybersecurity Research Center (CyRC) and Ponemon Institute reveal a similar picture.

More than half of respondents to this survey said their organisations need more resources and in-house expertise to mitigate cybersecurity risks. Only 45 percent of respondents said they have adequate budget to address cyber-security risks, and only 38 percent said their organisations have the necessary cyber-security skills.

According to the survey, 75 percent of  financial service organisations provide some level of training. However, 32 percent of respondents said it is optional, and 24 percent said it is only for certain teams. Only 19 percent said their organisations insist on such training.

There is an acute skillset shortage in the industry and the training and development budgets hardly meet essential needs, SC Media UK reported in June. As a result, technologists find their autonomy curtailed, as they struggle to convince management to allot the budget needed for training and development

All these factors have led to severe attrition in the industry, noted the Chartered Institute report. "Bad management" was cited as the number one reason for leaving a company. Lack of autonomy or ability to use initiative, career progression and to experience variety were also prominent reasons given for job change.

These reasons seem more valid when we consider the age group of cyber-security professionals. "The ages of people filling the survey in are mostly flat, but still there are twice as many younger people reflected than when the survey began," the report said.  

Image courtesy: Chartered Institute of Information Security

When it came to pay, the industry gave a mixed response. Almost nine out of ten respondents were earning above £50,000 and close to a quarter were on six-figure packages. However, only two of the seven pay bands listed by the Institute showed an increase over last year.

"In the middle of a skills shortage, organisations need to treat their workers carefully. Losing them through a lack of investment, through failing to help develop skills, or simple poor management, cannot be allowed," said Amanda Finch, CEO of the Chartered Institute. However, hiring just anyone to fill the vacancies poses the risk of worsening an already bad situation, she warned.

"Instead, organisations must understand what roles they need to fill; what skills those roles demand; and what skills applicants have. Armed with this, businesses can fill roles and support workers throughout their careers with the development, opportunities and training they need," she added.

"People join security posts for the remuneration, the opportunity and the variety; they move on when managers under-perform or if that opportunity doesn’t materialise. It would be an unwise organisation that didn’t recognise this, given the rising threat, the shortage of people and the other financial/regulatory pressures they face," the report concluded.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews