New research from ESG and ISSA illustrates a lack of advancement in bridging the cybersecurity skill shortage gap Credit: Thinkstock For the past four years, ESG and the Information Systems Security Association (ISSA) collaborated on a research project focused on the experiences, opinions, and careers of cybersecurity professionals (download this year’s report).At the risk of appearing like Chicken Little, I am quite alarmed. The security industry continues to address major issues with a combination of technology reliance and lip service. Yup, we remain gaga over technology and wave our arms around with training programs, but we aren’t making much progress.Case in point: The global cybersecurity skills shortage. The research data clearly indicates that this situation not only isn’t improving, but it may in fact be getting worse. For example:70% of cybersecurity professionals claim that their organization is impacted by the cybersecurity skills shortage. In the past four years, this percentage ranged from a low of 69% to a high of 74%, so the data shows a general lack of improvement.The primary ramifications of the skills shortage include an increasing workload on the existing cybersecurity staff, long-standing open jobs, an increase in hiring and training junior personnel, and an inability to learn or utilize security technologies to their full potential. This last implication is somewhat ironic. We are so busy putting out cybersecurity fires that we haven’t taken the time to learn how to properly use the hoses. Skills shortages are most acute among application security specialists, cloud security specialists, and security analysts. With organizations developing more software, moving workloads to the public cloud, and facing more sophisticated threats, these shortages are disconcerting, to say the least.Only 7% of cybersecurity professionals claim that their organization has improved its position relative to the cybersecurity skills shortage over the past few years. Alternatively, 45% say that things have gotten worse while 48% believe things are about the same today as they were in the past. So, we are either treading water or drowning.When asked if their organizations were taking the necessary actions to address the impact of the cybersecurity skills shortage, 58% of cybersecurity pros believe their organization should be doing somewhat or much more.To be clear, the cybersecurity skills shortage has two components. The obvious one is that there aren’t enough cybersecurity professionals in the overall pool, so everyone is fighting for the same talent. Additionally, there is an acute shortage of advanced cybersecurity skills. Good luck finding an experienced threat hunter, incident responder, or cloud security architect. The implication here is that we are overworking the cybersecurity staff and relying on marginally skilled individuals for advanced requirements. This is akin to asking a nurse practitioner to perform open heart surgery. If there’s one thing we can take away from four years of data on the skills shortage, it’s time we face facts. At a time when demand for cybersecurity aptitude is increasing, supply remains stagnant. With a revolution in digital transformation, IoT, and “smart” infrastructure, the cybersecurity skills shortage should be seen as an existential threat, not a minor inconvenience. It’s time that business leaders, elected officials, and educational institutions treat it as such. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe