The scary state of the cybersecurity profession

Most discussions about cybersecurity tend to go right to technology, and these days they usually start with the words “next generation” as in next-generation firewalls, IPS, endpoint security, etc. I get it, since innovative technology is sexy, but it’s important to realize that skilled cybersecurity professionals anchor cybersecurity best practices.  We depend on actual people to configure controls, sort through data minutiae to detect problems, and remediate issues in a timely manner.

+ Also on Network World: Recruiting and retaining cybersecurity talent +

Since these folks protect all our digital assets daily, it’s only natural that we’d be curious as to how they are doing. To measure these feelings, ESG teamed up with the Information Systems Security Association (ISSA) and conducted a survey of 437 global cybersecurity professionals. This project resulted in a recently published research report. 

In one survey question, cybersecurity professionals were presented with a series of statements and asked whether they agree or disagree with each. Here are some of the results:

• 91% of cybersecurity professionals strongly agree or agree with the statement: “Cybersecurity professionals must keep up with their skills or the organizations they work for are at a significant disadvantage against today’s cyber-adversaries.” 
• 63% of cybersecurity professionals strongly agree or agree with the statement: “A cybersecurity career can be taxing on the balance between one’s personal and professional life.”
•  63% of cybersecurity professionals strongly agree or agree with the statement: “While I try to keep up on cybersecurity skills, it is hard to do so given the demands of my job.”    
• 55% of cybersecurity professionals strongly agree or agree with the statement: “The cybersecurity skills shortage is a far bigger problem than is being communicated.” 

Taken together, this data presents an alarming picture.

Cybersecurity professionals believe that continuous education is a key ingredient of their profession, but they are stressed out, overworked and can’t keep up. Furthermore, they are being asked to increase their daily workloads because their employers can’t staff an adequately sized cybersecurity department. Since the global cybersecurity skills shortage shows no sign of dissipating, is there any doubt that things will continue to get worse?

When I present the ESG/ISSA data, I often comment that the global cybersecurity skills shortage and current state of the profession represents an existential threat. I realize this sounds like hyperbole, but it’s clear to me that the data supports my position. 

As a society, we need to attract new cybersecurity professionals, increase funding for cybersecurity education and make sure cybersecurity professionals get the training they need to keep up. In the meantime, CISOs and the organizations they work for should take the global cybersecurity skills shortage into account in each decision they make. Finally, we need to continue to monitor this situation so we can adjust business strategies, public policies, and International agreements accordingly. 

Note: The ESG/ISSA report is available for free download. Your feedback on the report is most welcome.