New research confirms the cybersecurity skills shortage isn't going anywhere, with 95% of security professionals saying the situation has stayed the same or gotten worse over the past few years.
"There's no cavalry riding through to save the day," said Jon Oltsik, senior principal analyst at Enterprise Strategy Group (ESG), a division of TechTarget. "If you're a CISO, this is your reality. So, how are you going to deal with it?"
ESG and the Information Systems Security Association (ISSA) surveyed 489 security pros about their careers and workplaces for the fifth annual report, "The Life and Times of Cybersecurity Professionals," which they presented at the 2021 RSA conference. The researchers surveyed participants on the effects of the talent gap, which 38% said has led to overwork and burnout at their organizations -- a 12% increase since 2020. "It's a stressful job anyway, and you're piling work on people," Oltsik said. "Of course you're going to burn them out, and then they're going to leave."
Additionally, 59% of respondents said they do not believe their organizations are doing enough to address the negative effects of the cybersecurity skills shortage. Their feedback informed the following four suggestions for CISOs, executives and boards.
1. Incentivize employees
When researchers asked survey respondents about the factors contributing to cybersecurity skills shortages at their organizations, a relative majority cited failure to offer adequate compensation. "In a seller's market, that's going to kill you every time," Oltsik said. "You really can't be cheap here."
But while CISOs should obviously aim to provide competitive salaries, many simply don't have the resources to keep up with webscale enterprises. In some cases, however, creative and diverse compensation packages can still make employment offers compelling, Oltsik added. A government CISO at the state level, for example, might highlight nonmonetary benefits and incentives such as flexible working hours, a generous holiday schedule, a commitment to community service or continuing education opportunities.
About one in three survey participants also said they work in industries that are unattractive to many cybersecurity professionals, making it difficult to recruit. Those might include the public sector, healthcare, manufacturing or higher education, where security teams often have a lot of responsibility, relatively few resources and limited opportunities to gain specialized expertise, Oltsik said. "They're [spread] a mile wide and an inch deep," he added.
A CISO could sweeten the proverbial pot by paying for employees' participation in certification courses and industry networking events, or by offering robust mentoring or training opportunities. A strong internship program can create a steady internal talent pipeline, for example, with successful interns often staying on in full-time roles. Organizations should also consider making strategic concessions that make them more attractive to talented entry-level hires. For example, they could build a reputable, revolving-door training program where people learn on the job before leaving for more lucrative roles. "You might recruit them by saying, 'Look, this is a two-year run. But in two years, you're going to learn everything about security," Oltsik said.
2. Invest in training
When researchers asked survey participants how CISOs could better address the impact of the skills shortage, the most popular suggestion was to increase the overall commitment to cybersecurity training. In fact, security pros must keep developing their professional skills or put their organizations at a competitive disadvantage, according to 91% of respondents. Yet 59% also said the demands of their jobs make it difficult to find time for training. Oltsik calls this the cybersecurity training paradox.
"As a CISO, you have to ask yourself, 'Am I allocating enough time for my people to do training?'" he said, adding he recommends every security pro set aside at least 40 learning hours a year. If current workloads make continuing education impossible, then CISOs should use the ESG-ISSA survey data to make the case for expanding their teams, Oltsik added. Consider physicians, who must constantly review the latest medical research and pharmaceutical studies to optimize patient care. "It's the same for cybersecurity professionals," he said. "Either you're training your people or you're at risk."
The cybersecurity skills shortage is more acute in some technical specialties than others, with survey participants reporting the greatest dearth of talent in cloud computing security, security analysis and investigations and application security. The takeaway, according to Oltsik: A CISO looking for someone in one of those areas must be prepared to pay a top-tier salary to an experienced analyst or invest in training one from the ground up.
By creating an atmosphere of professional learning and growth, ongoing training also helps improve employee satisfaction and retention, ISSA International President Candy Alexander said at the RSA conference. "Businesses are just not investing appropriately in their cybersecurity departments," she said. "Some people think staff will jump ship as soon as they get more training, but investment builds loyalty. If I feel valued, then I'm going to do anything I can for my boss."
3. Recruit via professional networks
Three-quarters of survey participants reported it is either extremely difficult or somewhat difficult to recruit new cybersecurity staff, with some roles being harder to fill than others. Entry-level workers are relatively easy to find, as there are generally at least as many candidates as there are positions, according to Oltsik. At the other end of the spectrum, executive leadership positions are few and far between, so they cause minimal recruitment issues. Mid-career and senior staff with at least four years of professional experience are by far the most challenging to find, according to 71% of respondents.
To explore how CISOs might most effectively recruit new hires, researchers asked cybersecurity professionals how they found their current jobs. Thirty-eight percent said they did so by networking with industry contacts, which underscores the importance for security managers of cultivating professional networks and attending events with the goal of recruitment. A casual conversation at a cloud networking conference session could uncover an unexpected candidate, for example.
"You might mention, 'I really want to get into cloud security for my next job,' and I might say, 'My organization is hiring, and we're willing to train,'" Oltsik said.
4. Get HR on board
Nearly one in three professionals surveyed said the HR departments at their organizations likely exclude strong job candidates because they don't understand the skills necessary to work in cybersecurity. One in four also said job postings at their organizations tend to be unrealistic, demanding too much experience, too many certifications or too many specific technical skills. Many suggested CISOs try to better educate HR and recruiters on real-world cybersecurity goals and needs.
Jon OltsikSenior principal analyst, ESG
"An entry-level job that requires three to five years of experience is ridiculous," Alexander agreed, adding that HR professionals often copy random job descriptions from other companies that have nothing to do with their own organizations' needs. "This is about our failure as a collective profession to educate the business on what we do," she said.
Many experts have proposed looking beyond IT and cybersecurity to find qualified candidates in other disciplines, an idea that also requires significant buy-in from and cooperation with HR and the business side. Oltsik suggested CISOs push to expand hiring searches to include candidates from law enforcement, data science, government, the military and other security-oriented professions.
"Some people tell me, 'There are plenty of people out there; we just don't recruit well,'" he added. "The data suggests both things are true. There is a pretty acute cybersecurity skills shortage, but we're not managing it or addressing it as well as we could."
And absent a silver-bullet solution, CISOs must do what they can.