Research confirms the cybersecurity skills shortage is an existential threat

I’ve been writing about the cybersecurity skills shortage for seven years, clucking like a digital “chicken little” to anyone who would listen. If you’ve followed my blog posts, you probably know that ESG research from early 2017 indicated that 45 percent of organizations said they have a problematic shortage of cybersecurity skills. This data represents large and small organizations across all geographic regions, so the cybersecurity skills shortage can be considered a pervasive global issue.

I’ve noticed that most people interpret the ESG (and other) data about the cybersecurity skills shortage from a jobs perspective. In other words, they view the skills shortage as a situation where there are more cybersecurity jobs available than there are people to fill them. 

While that is true, it minimizes the scope of the problem at hand. Rather than simply focus on the jobs deficit, we need to understand the wide-ranging ramifications the cybersecurity skills shortage is having on the cybersecurity community, the organizations they work for, and society at large.

ESG set out to look at these issues through a research project conducted in collaboration with the Information Systems Security Association (ISSA). For starters, we asked 343 cybersecurity professionals (and ISSA members) whether the cybersecurity skills shortage has had any impact on the organizations they work for. Twenty-seven percent of survey respondents said the skills shortage has had a significant impact on their organization, while another 43 percent said the cybersecurity skills shortage has had somewhat of an impact.

How the cybersecurity skills shortage impacts organizations

Taken together, 70 percent of organizations were affected by the cybersecurity skills shortage. But what is the real impact here? Here’s how cybersecurity professionals answered this question:

• 63 percent said the cybersecurity skills shortage has led to increasing workload on the existing staff. No surprise here, but think about the consequences, such as an overwhelmed cybersecurity team, high burnout rates, human error and the Peter principle at work. 
• 41 percent said they’ve had to hire and train junior employees rather than hire people with the appropriate level of skills needed. This is an admirable and creative effort, but it also translates to a lengthy skills gap timeframe while junior employees get up to speed. In the meantime, risk increases, attacks go undetected, and problems go unresolved.
• 41 percent said the cybersecurity staff is forced to spend a disproportionate amount of time on high-priority issues and incident response with limited time spent on planning, strategy, or training. Think of the cybersecurity team as fire fighters, with new blazes constantly starting across IT. It would be difficult for anyone to maintain this pace for long. Meanwhile, organizations have no time for proactive measures to improve cybersecurity efficacy, streamline operations, or mitigate risk. That means they aren’t prepared for emerging threats and continue to rely on a culture of emergency response. 
• 39 percent said the cybersecurity staff has limited time to work with business units to align cybersecurity with business processes. You’ve heard the rhetoric that “cybersecurity is a boardroom issue?” The ESG/ISSA research found that this is far from universally true. To this day, too many business leaders opt for “good enough” security and don’t work collaboratively with the cybersecurity team. Oh, and this research suggests that the cybersecurity skills shortage only exacerbates the infosec/business gap.
• 39 percent said the cybersecurity skills shortage has led to a situation where cybersecurity professionals are unable to learn and/or fully utilize their security technologies to their full potential. This indicates that organizations are purchasing new security technology and then are too busy to use them correctly. Hmm, not much ROI here.

To summarize, the cybersecurity skills shortage is having an impact on people (i.e. overwhelming workload, limited time for training, etc.), processes (limited proactive planning, limited time to work with business units, etc.) and technology (limited time to customize or tune security controls, etc.). In aggregate, all of us are being protected by an understaffed and underskilled workforce, and the data suggests things are only getting worse. 

I’ve said it before, but allow me to assume the role of Cyber Chicken Little again — the cybersecurity skills shortage represents an existential threat to our national security.  As an industry, society, and community, we must stop pussyfooting around this issue and work together toward some real solutions.

The ESG/ISSA report is available for free download here.  We’ve made the report free for download because we truly believe these issues need more attention, and it is our goal to use this research to facilitate a broader discussion. I’ll also be blogging religiously about this data for a while.