I’ve been researching and writing about the global cybersecurity skills shortage since the early 2000s. Perhaps the world viewed me as “chicken little,” but I saw back then that there were more jobs than people, and many employed security pros were lacking advanced and increasingly necessary skill sets. Since we all depend on a skilled cybersecurity professional workforce to protect our data, I thought then it was worth sounding the alarm bells.
Fast forward to today, and as Yogi Berra once said, “it’s deja-vu all over again.” New research from the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) indicates no end in sight. This year, 71% of security pros say their organization has been impacted by the global cybersecurity skills shortage – up from 57% in 2021. What type of impact? Of those reporting that their organization has been impacted:
- Sixty-one percent claim the skills shortage has led to increasing workloads for existing staff. Now, there’s a good idea: Ask overworked employees to do even more. What could go wrong?
- Forty-nine percent claim the skills shortage causes new jobs to remain open for weeks or months. I find that this is especially true in smaller organizations, those in remote areas, and those in the public sector, but even large and well-resourced organizations report difficulties in filling jobs.
- Forty-three percent claim the skills shortage has led to high burn-out and/or attrition rate among cybersecurity staff. The skills shortage is sort of a self-fulfilling prophesy. Organizations are short-staffed or lack advanced skills. So, they push their employees to do more with less. Employees burn out and seek greener pastures, creating new job openings that go unfilled and lead to more work for existing staff. Not good.
- Thirty-nine percent claim the skills shortage has led to an inability to learn or use security technologies to their full potential. I call this the “Microsoft Word” phenomenon. We all use Word (or something similar), but most of us use less than 10% of its functionality. Why? Because we never have the time to learn more. Fine, we muddle through with Word, but this minimalist behavior is unacceptable when organizations spend thousands on technical security controls, only to learn the basics, and remain at risk. CISOs should find this situation totally intolerable.
- Thirty percent claim that the skills shortage has led their organizations to hire and train junior employees rather than experienced candidates. This strategy is okay if you invest wisely on internship, mentoring, and training programs to create a cybersecurity center of excellence. In fact, organizations that do so will find it much easier to recruit and hire as word of these progressive programs gets out within the cybersecurity diaspora. If the training is shoddy, junior employees will be quickly overwhelmed.
Cybersecurity skills shortage getting worse
The research clearly indicates that we are far from addressing the cybersecurity skills shortage in any meaningful way despite years of people like me pointing out that the sky was falling. Alarmingly, we don’t even seem to be making any progress – 54% of cybersecurity professionals surveyed say that the skills shortage has gotten worse over the past two years while 41% claim it is about the same. Alas, only 5% believe it has improved.
It may be an obvious point, but CISOs can’t hire their way out of this situation. What can be done? Security professionals have some suggestions for their organizations that I’ll cover later. Meanwhile, the entire ESG/ISSA research report, The Life and Times of Cybersecurity Professionals v6, is available as a free ebook. Beyond the cybersecurity skills shortage, it covers cybersecurity professional career development, job satisfaction, and CISO performance and leadership.