Cybersecurity skills shortage threatens the mid-market

Each year, respondents ESG’s annual global survey of IT and cybersecurity professionals are asked to identify the area where their organizations have a problematic shortage of skills. For the sixth year in a row, cybersecurity skills topped the list—this year, 45% of the 641 respondents said their organization has a problematic shortage of cybersecurity skills. 

Now, the cybersecurity skill shortage isn’t picky; it impacts all organizations across industries, organizational size, geography, etc. Nevertheless, global cybersecurity may be especially problematic for organizations in the mid-market, from 100 to 999 employees.

Keep in mind that the skills shortage isn’t limited to headcount. Rather, it also includes skills deficiencies—situations where security staff members don’t have the right skills to address the dynamic and sophisticated threat landscape. 

In 2016, ESG teamed up with the Information Systems Security Association (ISSA) in a research project focused on cybersecurity professional careers. Some of the data from this project illustrates the cybersecurity skills challenge in the mid-market. For example:

• 35% of cybersecurity professionals working at mid-market organizations said their organization should provide significantly more cybersecurity training so the cybersecurity team can keep up with current risks (i.e. threats and vulnerabilities).
• 30% of cybersecurity professionals working at mid-market organizations said the cybersecurity skills shortage has had a significant impact on their organization, while another 35% said the cybersecurity shortage has impacted their organization “somewhat.”

Respondents were also asked to identify the specific impact to their organizations:

• 54% of cybersecurity professionals working at mid-market organizations said the cybersecurity skills shortage has led to increasing workload for the existing cybersecurity staff.
• 38% of cybersecurity professionals working at mid-market organizations said the cybersecurity skills shortage has limited the time for training, since the cybersecurity staff is too busy keeping up with day-to-day responsibilities.
• 33% of cybersecurity professionals working at mid-market organizations said the cybersecurity skills shortage has impacted their ability to learn and fully utilize their cybersecurity technologies.
• 27% of cybersecurity professionals working at mid-market organizations said the cybersecurity staff has led to an increase in human error in areas such as configuring security controls, investigating events, etc.

In summary, mid-market organizations are understaffed, running around putting out fires, and can’t dedicate enough time for cybersecurity training or strategic planning. This has led to a perpetual game of catch-up that seems fraught with human error and staff burn out.   

Keep in mind that most mid-market organizations have a small cybersecurity staff of one to five people, so they end up delegating lots of security tasks to IT operations with fewer cybersecurity skills and a whole lot of other work to do.

I’ve been writing about the cybersecurity skills shortage for years (as have others), and this issue certainly garners lip service from academics and the industry. Still, most cybersecurity discussion remain focused on the new technology du jour and not enough about people issues. 

In my humble opinion, the cybersecurity skills shortage demands more attention because it represents an existential problem that threatens all of us. Just ask cybersecurity professionals working at mid-market organizations.