Cybersecurity professionals aren’t keeping up with training

I’ve written a lot about the cybersecurity skills shortage lately based upon data from a new research report titled, The Life and Times of Cybersecurity Professionals, a collaborative effort done by ESG and the information systems security association (ISSA). The report indicates that:

• Seventy percent of cybersecurity professionals believe their organizations have been impacted by the cybersecurity skills shortage.
• What type of impact? Sixty-three percent say the cybersecurity skills shortage has increased the workload on existing staff, 41 percent have had to hire junior personnel in lieu of more experienced staff, and 41 percent claim the cybersecurity staff spends a disproportional amount of time on incident response and limited time on planning and strategy.
• The areas where the skills shortage is most acute include security investigations/analysis (31 percent), application security (31 percent), and cloud security (29 percent).

In aggregate, many organizations don’t have enough cybersecurity staff and lack some (or many) advanced skills. 

Continuous cybersecurity education is essential

The research revealed another disturbing trend around cybersecurity training. Much like the state of healthcare and medicine, cybersecurity changes all the time based upon hackers’ tactics, techniques, and procedures (TTPs), new technologies, etc.  Consequently, continuous education is essential. 

Cybersecurity professionals agree with this requirement. According to the ESG/ISSA research, 96 percent of cybersecurity professionals strongly agree or agree that they must keep up with their skills or the organizations they work for will be at a significant disadvantage against today’s cyber-threats.

Clearly, cybersecurity pros should keep their skills up to date through continuous education and training, but unfortunately, the research also indicates this isn’t happening:

• Two-thirds (67 percent) admit they try to keep up with training but lament that it is hard to do so because of the demands of their jobs.
• Only 38 percent of cybersecurity pros say their organizations provide the right level of training and education on the latest threats and TTPs. Alarmingly, 27 percent of survey respondents say their organization should provide significantly more.

Allow me to summarize this data for emphasis: Most cybersecurity pros are too busy to keep up with training on their own. Employers aren’t helping — most aren’t supporting the cybersecurity staff with an adequate level of training.

This is a disturbing situation that needs to be rectified as soon as possible. CISOs must:

1. Assess the skills level of the cybersecurity staff and identify skills deficits.
2. Find ways to address workload bloat by investing in security automation, staff augmentation, and managed services.
3. Provide ample opportunities for skills development through onsite training, mentoring, networking, and continuing education.
4. Measure and compensate the cybersecurity staff (and themselves) on skills development.

Note that the ESG/ISSA research report is available for free download here. Your feedback is welcome.