Just What Cyber Security Executives Don’t Want to Hear: The Skills Shortage is Worsening

  • The cyber security skills gap continues to get worse, according to the latest research
  • Among the top ramifications for cyber security teams are an increasing workload, unfilled jobs, and an inability to learn or use cyber security technologies to their full potential
  • Security and business executives need to work together to address the issue more effectively

Cyber security executives and hiring professionals won’t be thrilled to know that the security skills shortage, a challenge they’ve been grappling with for years, is worsening.

A recent report by the Information Systems Security Association (ISSA), a community of international cyber security professionals, and independent industry analyst firm Enterprise Strategy Group (ESG) shows that the skills gap has grown over the past few years.

The organizations surveyed 327 global security and IT professionals earlier this year, and based on the research found that the skills crisis continued to worsen for the fourth year in a row and has impacted nearly three quarters of the organizations.

Among the top ramifications of the skills shortage for organizations or cyber security teams are an increasing workload, unfilled open job requisitions, and an inability to learn or use cyber security technologies to their full potential, putting organizations at significant risk.

The cyber security skills gap discussion has been going on for nearly 10 years, the report noted. And the latest study confirmed that there has been no significant progress toward a solution to the problem. Indeed, 45% of respondents said the skills shortage and its associated impacts have only gotten worse in recent years.

The researchers think the root cause of the problem has never been addressed. What is needed, they said, is a holistic approach of continuous cyber security education, where each stakeholder needs to play a role collaboratively rather than operating in silos.

Cyber security professionals need a comprehensive, globally accepted career development plan, the report said. Without guidance and a clear path to follow, it’s difficult for new job candidates to know what is needed and how to acquire the skills necessary to enter the cyber security profession.

Today, professionals in the field are far too often left to figure out how to advance their careers on their own. The research showed that nearly 70% of the cyber security professionals surveyed don’t have a well-defined career path and “historical solutions” are only compounding problems.

Cyber security careers depend on hands-on experience, and that requires a job. When asked which was most important for their career development, hands-on experience or security certifications, more than half of the professionals chose hands-on experience. However, 44% said hands-on experience and certifications are equally important. The combination of experience and certifications requires having the right job and the right career plan, but few cyber security professionals are achieving this combination.

The report also noted that it takes years to become a proficient cyber security professional. About 40% of those surveyed think it takes anywhere from three to five years to develop real cyber security proficiency, while 22% said it takes two to three years and 18% said it takes more than five years. This means entry level cyber security professionals should be viewed as long-term investments, not immediate problem solvers.

Unfortunately, enterprises are not investing in their people or supporting cyber security integration within the organization, the study said. About two thirds of respondents think their organization should be doing somewhat or a lot more to address cyber security challenges. The researchers noted that business executives see this as a technical problem rather than a business issue.

Organizations are not providing the right level of cyber security training, the report said. Just over one third of the security professionals said they thought that their organizations should provide a more cyber security training, while 29% think their organizations should provide significantly more training. And 28% think they are not providing enough training for non-technical employees.

“Based on four years of research, training seems to be a perpetual shortcoming,” the report said. “Alarmingly, there seems to be no plan for improvement.”

Security executives including CISOs need to work with business executives to address the skills gap. Although many professionals think there is adequate CISO participation with executives and corporate boards, one quarter think CISOs and business executives could do more together.

Cyber security professionals rated other critical constituencies on their ability to keep up with cyber security challenges, and the results indicate that they need to improve. For example, about 70% think cyber security technology and service vendors should be doing somewhat or a lot more and about the same number think the cyber security community at large should be doing somewhat or a lot more.

“The cyber security gap cannot be addressed by simply filling the pipeline with new people,” said Candy Alexander, board president of ISSA International. “What’s needed is a holistic approach, starting with public education, comprehensive career development and planning, and career mapping—all with the support and integration with the business.”

The results of the latest report as well as the earlier ones clearly indicate that key constituents are not looking at the profession strategically, said Jon Oltsik, senior principal analyst and ESG Fellow. “While we are making some fragmented progress, the same issues present themselves year after year, including a shortage of skills, under-trained employees, and the stress and strain caused by a career in the cyber security field,” he said.

These trends should be of concern to corporate directors and business executives, Oltsik said, particularly in light of the alarming findings this year that more than two thirds of respondents think cyber security adversaries have a big advantage over defenders.