The ‘talent crunch’ in cyber shows no signs of easing, according to a study by the European Union’s cyber agency, ENISA.
It found that difficulties in attracting (cited by 76pc) and retaining (71pc) cybersecurity professionals persist, intensified by a shortage of skilled professionals and competition for talent. High turnover further reinforces this. As for threats, while DoS attacks put the most strain on daily operations, ransomware (55pc), supply-chain attacks (47pc) and phishing (35pc) are other organisational concerns.
ENISA Executive Director Juhan Lepassaar said: “The NIS Investments Study provides insights, central to ENISA’s role to support EU member states in building cyber resilience in critical sectors. The findings help us to better understand the challenges, target our support and inform our recommendations for the future.”
Although NIS2 (covering essential services and digital service providers, requiring a common level of cybersecurity across the EU) is prompting entities to strengthen some of the most demanding yet essential areas of cyber resilience, implementing it is widely perceived as challenging, the agency says. Organisations report patching (50pc), business continuity (49pc) and supply-chain risk management (37pc) as areas of difficulty. Different size organisations have distinct challenges:for larger entities, it’s harmonised approaches and paths for the transition from legacy to modern technology. For small firms, it’s accessible guidance, affordable tooling (including managed and cloud services) and skills development.
Patching and testing
Timely patching and regular assessments remain challenging even despite regulation. Almost one in three across sectors have not conducted a cybersecurity assessment in the past 12 months, while 28pc take more than three months to patch critical vulnerabilities. This is especially difficult for small firms, where both testing (63pc) and patching (51pc) present persistent challenges. As vulnerability exploitation is a leading intrusion access point, patching and implementation of the Cyber Resilience Act provisions to advance cybersecurity and resilience remain critical across the EU, the agency adds.
Comment
Sylvain Cortes, VP Strategy at Hackuity, said: “Achieving compliance with NIS2 has been a top priority for many organisations. Significant investments have already been made to reach the standards required, yet these findings reveal that major gaps still persist. Worryingly, patching continues to be a particular area of difficulty. This is especially concerning given that weaponised exploits represent some of the most serious risks organisations face – with potentially devastating consequences.
“This needs to change. Security teams need to be empowered with the right tools to identify and prioritise the vulnerabilities that pose the highest risk, and which could have the most severe business impact. Without this they’re in a constant loop of patching without the context to focus their resources where they are needed most.”
