Man puts a padlock on people network showing privacy skills gap

New ISACA Report: Privacy Skills Gap Causing Security Vulnerabilities as Half of Companies Struggle to Fill Roles

A new report from IT governance association ISACA demonstrates that the longstanding privacy skills gap is more than just an annoyance; it is becoming a serious security liability as lack of training, poor app/service design and failure to detect personal data are leading to an increased amount of breaches.

About half of all organizations are struggling to fill both technical and legal & compliance roles, with about 3/4 anticipating a need to add both in 2022. Less than half are now feeling “very” confident in their program’s ability to oversee data protection and meet compliance requirements.

As privacy skills gap grows, security issues mount

Privacy in Practice 2022” reflects the results of ISACA’s annual State of Privacy Survey, which collects results from over 830 ISACA certification holders worldwide. The majority of respondents work in security or IT strategy/governance. 92% have been in their current field for at least six years and 70% are at the management or senior leadership level. The majority of enterprises are based in North America and have an annual revenue of over $1 billion, but organizations of all sizes and localities were included.

Though recruiting for privacy skills positions remains difficult, the size of privacy teams has actually grown slightly in the past year (from seven to nine members as a median). However, recruiting for related talent in both legal/compliance and technical areas is down and these areas are understaffed as compared to the previous year. 25% of organizations say they have unfilled legal/compliance roles, and 31% have unfilled technical roles. This is roughly a 10% increase in each of these areas from last year.

The survey results also indicate that confusion remains about who is ultimately responsible for overseeing privacy activities (and would be expected to take the lead in an emergency). Responses were roughly split in naming the various officers of the C suite; 4% said they didn’t know, and 3% said that no one specific was responsible. The technical and legal sides of the privacy skills workforce are also not communicating particularly often, with only 8% having weekly meetings. Most meet either quarterly or only once or twice per year, and 19% said they only meet when new laws and regulations emerge.

Once again returning to the subject of staffing and privacy skills, only 40% of respondents say they are adequately staffed and only 5% say they are overstaffed on their legal/compliance teams. Numbers are even worse for technical teams with only 38% satisfied with their staffing level. In most cases, organizations are saying that they are either “somewhat” or “significantly” understaffed in both areas.

These privacy skills positions are usually taking one to six months to fill, but 12% to 16% say it is taking longer than that. Working through under-qualified applicants seems to be a major component of this process, as only 8% of respondents said that more than 75% of the applicants they get are appropriately qualified for the job.

What about specific skill gaps? 64% say that experience with the necessary range of technologies and applications is the biggest gap. 50% also say that applicants lack understanding of applicable laws and regulations; the same number say that a lack of experience with frameworks or controls is a major gap. Other major skill gaps include business insight, IT operations knowledge and skills, networking skills and soft skills.

Demand will increase even as market remains understaffed

Though the market for privacy skills will remain tight, respondents see demand for both categories of privacy professional going up in the next year: 63% see a greater need for legal/compliance professionals, and 72% see a greater need for technical professionals.

In the meantime, lack of competent resources has moved into first place as the #1 cited challenge in forming a privacy program. This edges out lack of clarity on roles and responsibilities as the lead reason, but 23% of respondents still say that it is “difficult” or “very difficult” to understand their current privacy obligations. Respondents said that the most common privacy failing was a lack of privacy by design in applications and services, followed by lack of training and poor or nonexistent detection of personal information.

Organizations are also tending to do little to nothing to monitor the effectiveness of their privacy programs. Of those that do, most perform privacy risk and impact assessments. Only 36% say they are doing audits, and 20% said they either did not know or were not doing anything at the moment.

About half of all organizations are struggling to fill both technical and legal & compliance roles that require #privacy skills, with about 3/4 anticipating a need to add both in 2022. #respectdataClick to Tweet

A small majority of respondents (53%) do feel that boards of directors are prioritizing privacy and the acquisition of privacy skills in spite of the challenges. However, privacy training does not yet appear to be a common priority. 69% say it is done annually, as compared to 13% doing it quarterly. 53% include it in new hire training but not necessarily beyond that.