Acute cybersecurity skills shortage areas

In my last blog, I reviewed some new research from ESG and the Information Systems Security Association (ISSA), revealing that 70% of cybersecurity pros say that the global cybersecurity skills shortage has impacted their organizations.  Based upon this and other similar research, I’m convinced that the cybersecurity skills shortage represents an existential risk to our data, businesses, and national security.

The data indicates that most organization don’t have enough cybersecurity staffers, don’t have some necessary cybersecurity skills, or both – a daunting situation.  ESG and ISSA also wanted to uncover areas where cybersecurity skills shortages are most acute.  The top three areas cited were as follows:

• 31% of cybersecurity professionals say their organization has a shortage of security analysis and investigations skills. This is significant because security analysts are highly skilled and likely already employed, so if you want to hire these folks you’ll have to steal them from others.  Oh, and if you don’t have an appropriate number of security analysts and investigators, it will probably take your organization longer to detect and respond to security events, increasing the prospect of a damaging data breach. 
• 31% of cybersecurity professionals say their organization has a shortage of application security skills. Think about the whole ‘digital transformation’ trend going on across all industries.  Now layer on the fact that many organizations can’t find or hire application security specialists.  It’s easy to conclude that this mismatch can only result in a lot of insecure code being developed and deployed.  Not only does this increase risk to the business, it’s also been proven again and again that addressing software security during the development phase is far more cost effective than protecting insecure production applications.  Unfortunately, application security skills shortages mean that organizations are spending more money for far less security protection. 
• 29% of cybersecurity professionals say their organization has a shortage of cloud security skills. ESG research from earlier this year indicates that 42% of organizations currently use IaaS and/or PaaS services today, and these percentages are poised to increase in the future.  So, more workloads are being moved to the cloud, yet we don’t have enough cloud security skills to be sure that these applications and data have the proper level of oversight and protection.  I’ve seen too many organizations try to force fit traditional security controls to try and protect cloud-based workloads.  Often, these projects fail.  Perhaps this misguided strategy is driven by the fact that many security pros simply don’t have the right chops for cloud security so they simply default to what they know regardless of whether it is an appropriate strategy or not.

Beyond these three, survey respondents pointed to skills shortages in areas like penetration testing (23%), risk/compliance administration (22%), security engineering (21%) and so on.  Once again, it’s likely that many organizations have skills deficits in several of these areas.

The overall picture is bleak – many organizations may not have the right skills and resources to adequately secure new business and IT initiatives and may also lack ample skills to detect and respond to incidents in a timely fashion.  Therefore, I keep coming back to two words – existential threat.

ESG and ISSA believe this new report contains a lot of important data that should be reviewed and discussed by business executives, CISOs, cybersecurity professionals, technology vendors, legislators, etc.  Thus, the report is available for free download here.  Your feedback is welcome and encouraged.