Organizations with 100 to 999 employees remain understaffed and under-skilled in cybersecurity—and an easy mark for hackers Each year, respondents ESG’s annual global survey of IT and cybersecurity professionals are asked to identify the area where their organizations have a problematic shortage of skills. For the sixth year in a row, cybersecurity skills topped the list—this year, 45% of the 641 respondents said their organization has a problematic shortage of cybersecurity skills. Now, the cybersecurity skill shortage isn’t picky; it impacts all organizations across industries, organizational size, geography, etc. Nevertheless, global cybersecurity may be especially problematic for organizations in the mid-market, from 100 to 999 employees.Keep in mind that the skills shortage isn’t limited to headcount. Rather, it also includes skills deficiencies—situations where security staff members don’t have the right skills to address the dynamic and sophisticated threat landscape. In 2016, ESG teamed up with the Information Systems Security Association (ISSA) in a research project focused on cybersecurity professional careers. Some of the data from this project illustrates the cybersecurity skills challenge in the mid-market. For example: 35% of cybersecurity professionals working at mid-market organizations said their organization should provide significantly more cybersecurity training so the cybersecurity team can keep up with current risks (i.e. threats and vulnerabilities).30% of cybersecurity professionals working at mid-market organizations said the cybersecurity skills shortage has had a significant impact on their organization, while another 35% said the cybersecurity shortage has impacted their organization “somewhat.”Respondents were also asked to identify the specific impact to their organizations:54% of cybersecurity professionals working at mid-market organizations said the cybersecurity skills shortage has led to increasing workload for the existing cybersecurity staff.38% of cybersecurity professionals working at mid-market organizations said the cybersecurity skills shortage has limited the time for training, since the cybersecurity staff is too busy keeping up with day-to-day responsibilities.33% of cybersecurity professionals working at mid-market organizations said the cybersecurity skills shortage has impacted their ability to learn and fully utilize their cybersecurity technologies.27% of cybersecurity professionals working at mid-market organizations said the cybersecurity staff has led to an increase in human error in areas such as configuring security controls, investigating events, etc.In summary, mid-market organizations are understaffed, running around putting out fires, and can’t dedicate enough time for cybersecurity training or strategic planning. This has led to a perpetual game of catch-up that seems fraught with human error and staff burn out. Keep in mind that most mid-market organizations have a small cybersecurity staff of one to five people, so they end up delegating lots of security tasks to IT operations with fewer cybersecurity skills and a whole lot of other work to do.I’ve been writing about the cybersecurity skills shortage for years (as have others), and this issue certainly garners lip service from academics and the industry. Still, most cybersecurity discussion remain focused on the new technology du jour and not enough about people issues. In my humble opinion, the cybersecurity skills shortage demands more attention because it represents an existential problem that threatens all of us. Just ask cybersecurity professionals working at mid-market organizations. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe