The cybersecurity skills shortage is getting worse

For the past four years, ESG and the Information Systems Security Association (ISSA) collaborated on a research project focused on the experiences, opinions, and careers of cybersecurity professionals (download this year’s report).

At the risk of appearing like Chicken Little, I am quite alarmed.  The security industry continues to address major issues with a combination of technology reliance and lip service.  Yup, we remain gaga over technology and wave our arms around with training programs, but we aren’t making much progress.

Case in point: The global cybersecurity skills shortage.  The research data clearly indicates that this situation not only isn’t improving, but it may in fact be getting worse.  For example:

• 70% of cybersecurity professionals claim that their organization is impacted by the cybersecurity skills shortage. In the past four years, this percentage ranged from a low of 69% to a high of 74%, so the data shows a general lack of improvement.
• The primary ramifications of the skills shortage include an increasing workload on the existing cybersecurity staff, long-standing open jobs, an increase in hiring and training junior personnel, and an inability to learn or utilize security technologies to their full potential. This last implication is somewhat ironic.  We are so busy putting out cybersecurity fires that we haven’t taken the time to learn how to properly use the hoses. 
• Skills shortages are most acute among application security specialists, cloud security specialists, and security analysts. With organizations developing more software, moving workloads to the public cloud, and facing more sophisticated threats, these shortages are disconcerting, to say the least.
• Only 7% of cybersecurity professionals claim that their organization has improved its position relative to the cybersecurity skills shortage over the past few years. Alternatively, 45% say that things have gotten worse while 48% believe things are about the same today as they were in the past.  So, we are either treading water or drowning.
• When asked if their organizations were taking the necessary actions to address the impact of the cybersecurity skills shortage, 58% of cybersecurity pros believe their organization should be doing somewhat or much more.

To be clear, the cybersecurity skills shortage has two components.  The obvious one is that there aren’t enough cybersecurity professionals in the overall pool, so everyone is fighting for the same talent.  Additionally, there is an acute shortage of advanced cybersecurity skills.  Good luck finding an experienced threat hunter, incident responder, or cloud security architect. 

The implication here is that we are overworking the cybersecurity staff and relying on marginally skilled individuals for advanced requirements.  This is akin to asking a nurse practitioner to perform open heart surgery. 

If there’s one thing we can take away from four years of data on the skills shortage, it’s time we face facts.  At a time when demand for cybersecurity aptitude is increasing, supply remains stagnant. 

With a revolution in digital transformation, IoT, and “smart” infrastructure, the cybersecurity skills shortage should be seen as an existential threat, not a minor inconvenience.  It’s time that business leaders, elected officials, and educational institutions treat it as such.