Economic headwinds could deepen the cybersecurity skills shortage

According to the most recent research report from ESG and the Information System Security Association International (ISSA), 57% of organizations claim that they’ve been impacted by the global cybersecurity skills shortage, while 44% of organizations believe the skills shortage has gotten worse over the past few years. The result? Increasing workloads on existing cybersecurity staff, job requisitions open for weeks or months, and high burnout rates and attrition for cybersecurity professionals. (ESG and ISSA will update and present their latest research at this year’s RSA conference.)

The most understaffed cybersecurity roles

Which jobs are most understaffed? According to ESG research from late 2022:

• Thirty-seven percent of organizations have a shortage of security architects. Based on my experience, this shortage is acute in two areas: Cloud security architects and those focused on technology integration (i.e., consolidating multiple technologies into a cohesive platform architecture).
• Thirty-five percent of organizations have a shortage of security engineers. Security engineers are the folks who install, configure, and maintain security solutions, so a lack of security engineers equates to suboptimal use of security technology. ESG is also seeing growing demand for individuals skilled in detection engineering (i.e., detection as code, Sigma/Yara rules creation, etc.) Thus, the proliferation of vendors such as Anvilogic, CardinalOps, and SOC Prime aim to bridge the detection engineering gap.
• Thirty-four percent of organizations have a shortage of tier-3 SOC analysts. These are the most experienced SOC analysts who get the difficult escalations/investigations and are often tasked with proactive threat hunting. In lieu of tier-3 analysts, organizations have no choice but to ask generalists to do specialist work.
• Thirty-three percent of organizations have a shortage of vulnerability management analysts. A shortage here leads to increased cyber risk as IT assets remain undiscovered, misconfigured, and vulnerable.
• Thirty-one percent of organizations have a shortage of CISOs, BISOs, or other senior cybersecurity positions. This shortage means that many organizations are operating security programs without the necessary leadership to identify cyber risk, manage an enterprise security program, and work with executives to align security with the business. Very scary!

Why a down economy will make the cybersecurity shortage worse

We’ve been dealing with the cybersecurity skills shortage for years, but there’s a bit of a new wrinkle here: the current state of the economy. Over the next 12 to 18 months, economic headwinds will exacerbate the impact of the cybersecurity skills shortage. Here are my two cents:

1. Cybersecurity pros will be more selective about job shopping. Over the past 10 years, security professionals have been offered generous compensation packages, often tied to stock options. Now that the markets are down and IPOs are nowhere to be seen, security professionals will eschew equity for cold hard cash. Beyond compensation alone, economic turmoil tends to drive more risk-averse behavior. Cybersecurity professionals are likely to hunker down, take a cautious approach to career progression, and wait for the economic storm to clear. These behavior changes may be felt most in Silicon Valley where risky career moves and equity are standard operating procedure.
2. Increasing use of security services will drain the talent pool. Look at anyone’s research and you’ll see that more organizations are turning to managed services to augment overburdened and under-skilled internal security staff. For example, recent ESG research on security operations indicates that 85% of organizations use some type of managed detection and response (MDR) service, and 88% plan to increase their use of managed services in the future. As this pattern continues, managed security service providers (MSSPs) will need to add headcount to handle increasing demand. Since service provider business models are based on scaling operations through automation, they will calculate a higher return on employee productivity and be willing to offer more generous compensation than typical organizations. One aggressive security services firm in a small city could easily gain a near monopoly on local talent. At the executive level, we will also see increasing demand for the services of virtual CISOs (vCISOs) to create and manage security programs in the near term.  
3. Hiring freezes will get in the way. During economic downturns, organizations often make draconian blanket decisions like cutting training, reducing the workforce, or freezing all new hires. When this happens, CISOs must fight with HR for each individual necessary hire, slowing down the employment process and forcing organizations to manage security despite being understaffed or lacking critical skills.

Yup, economic headwinds throw a wrench in the works for CISOs – especially those already dealing with security staffing and skills issues. What can they do? Increase training budgets, reinforce their commitments to key employees, work with vendors to get the most out of their products, and supplement staff with service providers.