7 key data points on the cybersecurity skills shortage

The global cybersecurity skills shortage is as bad as it has ever been, and most organizations are feeling the pinch, new research finds. But cybersecurity professionals have many recommendations for addressing this situation.

I am proud to say that the annual Life and Times of Cybersecurity Professionals report from ESG and ISSA is now available for free download. 

As part of the research for this report, we always ask cybersecurity professionals several questions about the global cybersecurity skills shortage.  Is it real?  Are things improving or getting worse?  Is your organization impacted and, if so, how? 

Here are some key points this year's survey revealed:

  • Most organizations are impacted. This year, 57% of respondents said that their organizations have been impacted by the global cybersecurity skills shortage.  Among those who reported being impacted, 62% said that the skills shortage has increased the workload on existing staff;  38% said that new security jobs remain open for weeks or months; and 38% said that the skills shortage has led to employee burnout and employee attrition.  This situation is difficult and unsustainable. 
  • The skills shortage is not improving. Forty-four percent of survey respondents believe the cybersecurity skills shortage (and its impact) have gotten worse over the past few years, while 51% say it’s about the same today as it was over the past few years. Sadly, only 5% believe the situation has gotten better.
  • Recruiting and hiring cybersecurity staff remains challenging. Seventy-six percent of security professionals say it is either extremely (18%) or somewhat difficult (58%) to recruit cybersecurity professionals.
  • There is an acute shortage of cloud security and other skills. Cloud computing security is cited by nearly four in ten respondents (39%) as the area with the most acute skills shortage, followed by application security and/or security analysis and investigations (30%). Given this data, it’s safe to assume that organizations will face stiff competition when recruiting cybersecurity specialists in these areas. 
  • Organizations are not doing enough to bridge the cybersecurity skills gap. Twenty-seven percent of survey respondents believe their organization could be doing somewhat more to address the skills shortage while nearly one-third (32%) say their organizations could be doing much more.  This seems to indicate that status quo solutions are not working. 
  • The cybersecurity skills shortage exposes organizational issues. Survey respondents were asked to identify factors contributing to the skills shortage’s impact at their organizations.  Alarmingly, 29% said that their HR department doesn’t really understand cybersecurity skills, so it probably excludes qualified candidates, while 25% claim that cybersecurity job postings tend to be unrealistic, demanding too much experience, too many certifications, etc.  Clearly, CISOs and HR executives must get on the same page here. 
  • Cybersecurity professionals have some helpful recommendations. When asked what more their organizations could do to address the skills shortage, cybersecurity professionals suggested actions like increasing the commitment to cybersecurity training, boosting compensation, providing additional perks, and creating or improving a cybersecurity internship program. All worthwhile considerations.

Five years of ESG/ISSA data reinforces the fact that the cybersecurity skills shortage remains a nagging problem with no easy answers.  ESG/ISSA believe that organizations should strongly consider the survey respondents’ suggestions presented in the report.  Meanwhile, CISOs should assume that the skills shortage may affect every aspect of their cybersecurity programs. 

Actions to take now

While most organizations are impacted by the cybersecurity skills shortage (70% percent of the cybersecurity professionals we surveyed say that they are solicited by recruiters at least once per month), those that value cybersecurity, align cybersecurity with the business, and create a strong cybersecurity culture are in the best position to attract and retain talent.

Remember, too, that the skills shortage includes a shortage of personnel AND advanced skills.  Therefore, organizations can address aspects of the skills shortage by increasing their commitment to continuing cybersecurity education.

The ESG/ISSA research report is available for free download here.  Your feedback is welcome and appreciated. 

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline