Do you feel like your cybersecurity team has been overwhelmed throughout the past year? If your answer is yes, you are certainly not alone.
With practically every organization adapting to some form of remote work, coupled with a significant increase in cyberattacks, the workload for security professionals has never been higher.
And there is something else. New research suggests the cybersecurity skills crisis continues to get worse.
ISSA and ESG report on cybersecurity skills shortage
The Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) just released their annual global study of cybersecurity professionals.
The joint report from the two organizations, The Life and Times of Cybersecurity Professionals 2021, surveyed 489 cybersecurity professionals to get their perspectives on the current state of the industry and what specific areas need the most help.
Some notable statistics from the survey include the following:
- 62% report increasing workload for the cybersecurity team
- 38% report unfilled open job requisitions
- 38% report high burnout among staff
- 95% report the cybersecurity skills shortage and its associated impacts have not improved over the past few years
- 44% report it has only gotten worse
It also mentions the most-often cited areas of significant cybersecurity skills shortages, which are cloud computing security, security analysis and investigations, and application security.
Why is there a persisting cybersecurity skills shortage?
One of the primary reasons for this skills shortage is that cybersecurity as a profession remains systemically undervalued, according to the report.
The report discusses the need for fair and competitive compensation:
"In a new finding this year, not offering competitive compensation is the top factor (38%) contributing to the organizations' cyber skills shortage because it makes it difficult to recruit and hire the cybersecurity professionals that organizations need.
More than three-quarters (76%) of organizations admit that it is difficult to recruit and hire cybersecurity staff, with nearly one-fifth (18%) stating it is extremely difficult. Being offered a higher compensation package is the main reason (33%) CISOs leave one organization for another."
However, the research also found there is something else beyond money that is very important to cybersecurity professionals.
How can organizations address the cybersecurity skills shortage?
A majority of those surveyed believe that more investments in training could have a tremendous impact.
"When asked what actions organizations could take to address the cybersecurity skills shortage, the biggest response (39%) was an increase in cybersecurity training so candidates can be properly trained for their roles.
To maintain and advance their skill sets, many cybersecurity professionals seek to achieve at least 40 hours of training each year. Nearly a quarter (21%) of those surveyed did not meet 40 hours of training per year. The main reason they cited was that their jobs do not pay for 40 hours of training per year and they can't afford it by themselves, according to nearly half (48%) of respondents."
That is one of the reasons SecureWorld has always been about connecting, informing, and developing leaders in cybersecurity. You can see our conference calendar here and our webinar lineup here for ongoing learning opportunities.
The report also identified another obstacle within the industry: "The paradox that professionals face where they are called upon to make up for the existing skills shortage in addition to falling behind on their own development."
Industry leaders address cybersecurity skills shortage
Two contributors to the report shared their thoughts on the skills shortage and what can be done about it.
Candy Alexander, Board President at ISSA International and SecureWorld keynote speaker, said:
"There is a lack of understanding between the cyber professional side and the business side of organizations that is exacerbating the cyber skills gap problem. Both sides need to re-evaluate the cybersecurity efforts to align with the organization's business goals to provide the value that a strong cybersecurity program brings towards achieving the goals of keeping the business running. Cybersecurity leaders should be able to link the security efforts directly to strategic business goals."
Jon Oltsik, Senior Principal Analyst and ESG Fellow, said:
"This report reveals some deep-seated issues with cybersecurity professionals and their organizations. ESG and ISSA hope that cybersecurity professionals use this research to better understand their profession and peers as they manage their careers.
For business and cybersecurity professionals, the data should be seen as a set of guidelines for maximizing cybersecurity investment, improving cybersecurity job satisfaction, and aligning cybersecurity with the business mission. The message is clear: Organizations with a cybersecurity culture are in the best position."
For more information on the cybersecurity skills shortage report, follow this link.
