ISACA’s annual “Privacy in Practice” survey paints a pessimistic picture of the ability to secure sensitive data, in spite of improvements to the amount of privacy professionals on staff and boards increasingly making privacy issues a priority. Though the desire to beef up departments is there, a major privacy skills gap remains as the labor market is tight and budgets often do not allow for recruitment of top talent.
Organizations added privacy professionals in 2022, but demand still outstrips supply
The ISACA survey was conducted in the fourth quarter of 2022 and included about 1,890 working professionals that hold one of the organization’s cybersecurity or privacy solutions certifications. The survey included a range of industries, company sizes, and locations around the globe.
Staffing of privacy professionals increased from 2022, but some teams continue to be understaffed. Both technical privacy and legal/compliance teams saw a slight reduction in understaffing on the year, but more than half of technical privacy teams are still understaffed as are 44% of the legal and compliance teams. Privacy staffing overall did see a slight median increase from the prior year, but a privacy skills gap remains in many areas as organizations seek to increase budgets to hire more talent.
Organizations tend to report that hiring privacy professionals is a time-consuming process. 34% said they currently have open technical privacy roles, and 27% have open legal/compliance positions. About half of all organizations say that both of these roles take about one to six months to fill, and a quarter said the process takes at least three months. 15 to 18% said that it takes more than six months. Only 2% said that they are finding it impossible to find candidates due to the privacy skills gap, but 20% answered that they “do not know” how long the average hiring process takes. Only about 2% are able to hire in under two weeks.
Part of what’s feeding the privacy skills gap appears to be a strong preference for experienced candidates. Over half of respondents say that it is “very important” that privacy professionals have direct experience in the role they’re filling. Only 40% view credentials as “very important,” and only 26% put the same weight on a university degree.
This does not appear to reflect an issue for newly minted privacy professionals in finding work, however, as only 12% of respondents say they are having trouble filling entry-level roles. The privacy skills gap is more acute the more senior the position is. 76% say that they have difficulty filling expert-level roles, and 51% struggle to fill “practitioner”-level roles.
In terms of specific elements of the privacy skills gap that stymie organizations, 63% say that it is a lack of direct experience with the applications or technologies they are hiring for that is the most common issue. Other common issues include lack of experience with frameworks and controls, lack of understanding of relevant laws and regulations, and lack of technical expertise.
And what are organizations doing to address the privacy skills gap? Most commonly, non-privacy staff are being offered internal cross-training opportunities to move into these roles. A little over a third of companies say they have also stepped up the use of outside consultants or temporary contract employees. 20% say that they are looking to automation or artificial intelligence to take on some of this workload.
Budgets increase, but not enough to bridge privacy skills gap
More organizations now feel that privacy programs are adequately funded, but the number is still far below half of all respondents (just 36%). 42% say that it is “somewhat” or “significantly” underfunded. And despite a small increase in overall funding, 39% of respondents still say that executive or business support is still an obstacle in forming a privacy program, and 38% say that they still struggle with lack of visibility in the organization.
In terms of the privacy skills gap, organizations are overwhelmingly looking for an experienced security or IT executive to be responsible for privacy. The top four picks for this role were a dedicated chief privacy officer, a chief information officer, an executive-level CISO and a chief executive officer. Only 10% will consider a general counsel or chief legal officer, and for 5% the buck stops with the board of directors.
Organizations also say that privacy professionals from different teams are not interfacing particularly often. Only 7% meet weekly, and 17% monthly; the majority meet either quarterly or just once or twice per year. 17% say they only meet when a new privacy law goes into effect.
Privacy professionals also report that organization-wide training is still not particularly frequent, even as cyber attacks have gone into overdrive in recent years. 65% say training is annual, 52% say it only happens during new hire training, and only 17% say it is done quarterly. 7% say none at all is done, and 6% do not know how often it occurs. However, only 5% reported more breaches than in the previous year, though over half either refused to answer the question or did not know.
Finally, is AI expected to take on some of the workload left unaddressed by the privacy skills gap? At the moment, 69% of the respondents either say that they have no concrete plans or don’t know. Only 11% are currently using it, and 20% have plans in place to adopt or continue using it in the next 12 months.
Tony Hughes, of the ISACA Emerging Trends Working Group, feels that the companies that are looking inward for candidates to retrain are on the right track as far as a short-term answer goes: “Only searching for candidates with specific experience and technical privacy skills is an outdated mindset – it immediately limits businesses to a small pool of people. Instead, organisations need to lean on reskilling people in non-privacy roles, using contract employees and focusing on individuals with the right soft skills to reduce the privacy skills gap.”
