• United States



Contributing Writer

The cybersecurity skills shortage is getting worse

Aug 21, 20203 mins
CareersIT SkillsSecurity

New research from ESG and ISSA illustrates a lack of advancement in bridging the cybersecurity skill shortage gap

businessman bridges gap
Credit: Thinkstock

For the past four years, ESG and the Information Systems Security Association (ISSA) collaborated on a research project focused on the experiences, opinions, and careers of cybersecurity professionals (download this year’s report).

At the risk of appearing like Chicken Little, I am quite alarmed.  The security industry continues to address major issues with a combination of technology reliance and lip service.  Yup, we remain gaga over technology and wave our arms around with training programs, but we aren’t making much progress.

Case in point: The global cybersecurity skills shortage.  The research data clearly indicates that this situation not only isn’t improving, but it may in fact be getting worse.  For example:

  • 70% of cybersecurity professionals claim that their organization is impacted by the cybersecurity skills shortage. In the past four years, this percentage ranged from a low of 69% to a high of 74%, so the data shows a general lack of improvement.
  • The primary ramifications of the skills shortage include an increasing workload on the existing cybersecurity staff, long-standing open jobs, an increase in hiring and training junior personnel, and an inability to learn or utilize security technologies to their full potential. This last implication is somewhat ironic.  We are so busy putting out cybersecurity fires that we haven’t taken the time to learn how to properly use the hoses. 
  • Skills shortages are most acute among application security specialists, cloud security specialists, and security analysts. With organizations developing more software, moving workloads to the public cloud, and facing more sophisticated threats, these shortages are disconcerting, to say the least.
  • Only 7% of cybersecurity professionals claim that their organization has improved its position relative to the cybersecurity skills shortage over the past few years. Alternatively, 45% say that things have gotten worse while 48% believe things are about the same today as they were in the past.  So, we are either treading water or drowning.
  • When asked if their organizations were taking the necessary actions to address the impact of the cybersecurity skills shortage, 58% of cybersecurity pros believe their organization should be doing somewhat or much more.

To be clear, the cybersecurity skills shortage has two components.  The obvious one is that there aren’t enough cybersecurity professionals in the overall pool, so everyone is fighting for the same talent.  Additionally, there is an acute shortage of advanced cybersecurity skills.  Good luck finding an experienced threat hunter, incident responder, or cloud security architect. 

The implication here is that we are overworking the cybersecurity staff and relying on marginally skilled individuals for advanced requirements.  This is akin to asking a nurse practitioner to perform open heart surgery. 

If there’s one thing we can take away from four years of data on the skills shortage, it’s time we face facts.  At a time when demand for cybersecurity aptitude is increasing, supply remains stagnant. 

With a revolution in digital transformation, IoT, and “smart” infrastructure, the cybersecurity skills shortage should be seen as an existential threat, not a minor inconvenience.  It’s time that business leaders, elected officials, and educational institutions treat it as such. 

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author