Here’s a quick review of some of the cybersecurity skills shortage data I’ve cited about in recent blogs:
- According to ESG research from early 2017, 45 percent of organizations claim to have a problematic shortage of cybersecurity skills.
- In a recent research project conducted by ESG and the information systems security association (ISSA), 70 percent of cybersecurity professionals say the cybersecurity skills shortage has had an impact on their organization. The skills shortage has led to an increasing workload on existing staff, the need to hire and train junior employees due to the lack of experienced talent, and a situation where the cybersecurity staff spends most of its time on emergency issues and very little time on proactive strategic planning or training.
- When asked to identify factors that contributed to past security incidents, 22 percent said their cybersecurity team was not large enough for the size of their organization, while 18 percent stated that the cybersecurity team cannot keep up with the workload.
- More than two-thirds (67 percent) of cybersecurity professionals claim they are too busy with their jobs to keep up with skills development and training.
So, in aggregate, many organizations are understaffed, many lack some (or many) types of advanced cybersecurity skills, and the staff is too busy to invest time in continuing education to keep up with the latest threats. Yikes!
Huge demand for cybersecurity talent
CISOs recognize these issues and many organizations are actively hanging a "help wanted" sign to find cybersecurity talent. Unfortunately, it is exceedingly difficult to bring new people onboard. Why? Experienced cybersecurity professionals are in high demand, so organizations are engaged in a battle royale to coax them away from their present employers and outbid others for their services.
Here’s a scary statistic that backs up this claim: According to a recently published ESG/ISSA research report titled, The Life and Times of Cybersecurity Professionals, 49 percent of cybersecurity professionals are solicited to consider other cybersecurity jobs by various types of recruiters at least once per week! Further analysis of this data:
- Cybersecurity leaders are heavily recruited as 61 percent of CSOs/CISOs and VP-level candidates are solicited to consider other cybersecurity jobs by various types of recruiters at least once per week.
- Sixty-six percent of cybersecurity professionals working in healthcare are solicited to consider other cybersecurity jobs by various types of recruiters at least once per week.
- Weekly recruitment is about equal, around 50 percent for cybersecurity professionals in North America and Europe.
This data suggests that CISOs should be prepared to spend a lot of money for new talent — if they can find people to respond to their ads or return recruiters phone calls.
I’ve lived with lots of data about the cybersecurity skills shortage for many years and talk to dozens of CISOs annually about their staffing problems. I can only conclude that the cybersecurity skills shortage is getting worse over time and that it represents an existential threat to our economy and national security.
Note that the ESG/ISSA report is available for free download here. Your feedback is most welcome.