I’ve been writing about the cybersecurity skills shortage for 7 years and have become the “Chicken Little” of this topic. Now, we’ve all read about the number of cybersecurity job openings out there, but what is the impact of the skills shortage on cybersecurity professionals who are gainfully employed?
This is one of the focus areas of the third annual Enterprise Strategy Group/ISSA research report titled, The Life and Times of Cybersecurity Professionals 2018. To evaluate this question, 267 cybersecurity professionals and ISSA members were asked whether the cybersecurity skills shortage has had an impact on the organization they work at. Nearly three-quarters (74%) of respondents say that the cybersecurity skills shortage has impacted their organizations significantly or somewhat.
This percentage has crept up annually. Last year, 70% of respondents said that the cybersecurity skills shortage had impacted their organization, while 2 years ago, it was 69%.
Does this indicate that the cybersecurity skills shortage is getting worse? It’s hard to say (based upon ESG/ISSA research alone) due to the changing research panel pool and the margin of error for the sample size. What’s absolutely clear however is that there is no evidence to suggest that the cybersecurity skills shortage is improving whatsoever.
What are the ramifications of the cybersecurity skills shortage? We asked this question to the 74% of respondents whose organizations have felt the impact. Here are the results:
- 66% of respondents claim that the cybersecurity skills shortage has resulted in an increased workload on existing staff. Since organizations don’t have enough people, they simply pile more work onto those that they have. This leads to human error, misalignment of tasks to skills, and employee burnout.
- 47% of respondents claim that the cybersecurity skills shortage has resulted in an inability to fully learn or utilize some security technologies to their full potential. Let this one sink in. Organizations are buying expensive security tools but then letting them languish since they don’t have the time or resources to take advantage of them. Hmm, I wonder if Marsh & McLennan should consider this fact before developing a rating system for cybersecurity products. Note to Marsh: Product quality doesn’t matter if no one knows how to use it properly.
- 41% of respondents claim that the cybersecurity skills shortage has resulted in having to recruit and train junior employees rather than hire experienced cybersecurity professionals. This situation is the new reality so organizations must get used to it. In fact, smart CISOs will work with local universities, develop training and job rotation programs, establish mentorships, and become centers of excellence for cybersecurity career development.
- 40% of respondents claim that the cybersecurity skills shortage has resulted in limited time to work with business units to align cybersecurity with business processes. Think about this one. Organizations are expanding their use of technology as part of their business mission, yet the cybersecurity staff doesn’t have enough time to work with the business to mitigate risk or safeguard business processes. Holy cow, this should be an alarming statistic for every CEO.
It is worth noting that the cybersecurity skills shortage is about skills and not just job vacancies. So, many organizations are understaffed and lacking advanced skills in areas like cloud security, threat intelligence, security investigations and forensics, etc.
President Trump recently issued an executive order aimed at bridging the cybersecurity skills gap. Will this make a dent in the skills shortage? Nope. Any action is better than none, but the executive order is window dressing – too little and too late.
Since our lives are now controlled by bits and bytes, the cybersecurity skills shortage is an existential threat to all of us. It’s high time we addressed this issue with a true sense of urgency.
Note: The Enterprise Strategy Group/ISSA report is available for free. The data presented in the report should be beneficial for cybersecurity and IT professionals, business managers, and legislators.