• United States



Contributing Writer

Is the cybersecurity skills shortage getting worse?

May 10, 20194 mins
CareersIT JobsIT Skills

New research indicates that things are not improving for filling the demand for cybersecurity skills. The ramifications are widespread.

cybersecurity ts
Credit: Thinkstock

I’ve been writing about the cybersecurity skills shortage for seven years and have become the “Chicken Little” of this topic. Now, we’ve all read about the number of cybersecurity job openings out there, but what is the impact of the skills shortage on cybersecurity professionals who are gainfully employed?

This is one of the focus areas of the third annual ESG/ISSA research report titled, The Life and Times of Cybersecurity Professionals. (Note: I am an ESG employee.) To evaluate this question, 267 cybersecurity professionals and ISSA members were asked whether the cybersecurity skills shortage has had an impact on the organization they work at. Nearly three-fourths (74%) of respondents say the cybersecurity skills shortage has impacted their organizations “significantly” or “somewhat.” 

This percentage has crept up annually. Last year, 70% of respondents said the cybersecurity skills shortage had impacted their organization, while two years ago, it was 69%.

Does this indicate that the cybersecurity skills shortage is getting worse? It’s hard to say (based upon ESG/ISSA research alone) due to the changing research panel pool and the margin of error for the sample size. What’s absolutely clear, however, is that there is no evidence to suggest that the cybersecurity skills shortage is improving whatsoever.

Ramifications of the cybersecurity skills shortage

What are the ramifications of the cybersecurity skills shortage? We asked this question to the 74% of respondents whose organizations have felt the impact. Here are the results:

  • 66% of respondents claim that the cybersecurity skills shortage has resulted in an increased workload on existing staff. Since organizations don’t have enough people, they simply pile more work onto those that they have. This leads to human error, misalignment of tasks to skills, and employee burnout.
  • 47% of respondents claim that the cybersecurity skills shortage has resulted in an inability to fully learn or utilize some security technologies to their full potential. Let this one sink in. Organizations are buying expensive security tools but then letting them languish because they don’t have the time or resources to take advantage of them. Hmm, I wonder if Marsh & McLennan should consider this fact before developing a rating system for cybersecurity products. Note to Marsh: Product quality doesn’t matter if no one knows how to use it properly.
  • 41% of respondents claim that the cybersecurity skills shortage has resulted in having to recruit and train junior employees rather than hiring experienced cybersecurity professionals. This situation is the new reality, so organizations must get used to it. In fact, smart CISOs will work with local universities, develop training and job rotation programs, establish mentorships, and become centers of excellence for cybersecurity career development.
  • 40% of respondents claim that the cybersecurity skills shortage has resulted in limited time to work with business units to align cybersecurity with business processes. Think about this one. Organizations are expanding their use of technology as part of their business mission, yet the cybersecurity staff doesn’t have enough time to work with the business to mitigate risk or safeguard business processes. Holy cow, this should be an alarming statistic for every CEO.

It is worth noting that the cybersecurity skills shortage is about skills and not just job vacancies. So, many organizations are understaffed AND lacking advanced skills in areas such as cloud security, threat intelligence, security investigations and forensics, etc. 

President Trump recently issued an executive order aimed at bridging the cybersecurity skills gap. Will this make a dent in the skills shortage? Nope. Any action is better than none, but the executive order is window dressing – too little and too late. 

Since our lives are now controlled by bits and bytes, the cybersecurity skills shortage is an existential threat to all of us. It’s high time we addressed this issue with a true sense of urgency.

Note: The ESG/ISSA report is available for free. The data presented in the report should be beneficial for cybersecurity and IT professionals, business managers, and legislators.

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author