I’ve written about and researched the cybersecurity skills shortage for many years. For example, ESG research indicates that 46% of organizations claim to have a “problematic shortage” of cybersecurity skills this year an 18% increase from 2015 (note: I am an ESG employee).
Of course, I’m not the only one looking into the cybersecurity skills shortage. For example:
According to Peninsula Press (a project of the Stanford University Journalism Program), more than 209,000 U.S.-based cybersecurity jobs remained unfilled, and postings are up 74 percent over the past five years. Analysis of the U.S. Bureau of Labor Statistics indicates that the demand for cybersecurity professionals is expected to grow 53 percent by 2018.So many researchers agree then that we don’t have enough skilled prospects to fill all of the open cybersecurity jobs. Okay but that puts a heck of a lot of burden on the existing cybersecurity workforce. Are they up to the task? Do they have the right training? Are they managing their careers appropriately?
To explore the answers to these questions, ESG teamed up with the Information Systems Security Association (ISSA), a global cybersecurity professional organization with just under 11,000 members, to survey cybersecurity professionals and get their impressions of the current state of the profession. This resulted in a “voice of the cybersecurity professional” research publication series. The initial report titled, The State of Cyber Security Professional Careers , is now available for free download (and aligns well with National Cyber Security Awareness Month). Part II (available sometime in November) will focus on cybersecurity professionals’ opinions on the state of cybersecurity today and its impact on society at large.
Data from the first report paints a sobering picture. For example:
Only 41% of cybersecurity professionals claim that they are “very satisfied” with their current job. Why the lack of job satisfaction? Many claim that their organizations don’t have a true commitment to cybersecurity while others are just plain overworked and burnt out. More than half (56%) of cybersecurity professionals say that their organization is not providing them with the right level training in order to keep up with business and IT risk. It’s easy to assume then that these individuals are falling farther behind as cyber-adversaries adopt more sophisticated tactics, techniques, and procedures (TTPs). Cybersecurity is a team sport that depends upon collaboration and coordination between cybersecurity, business, and IT groups. Alarmingly, 20% of cybersecurity professionals characterize their working relationship with the IT team as fair or poor while 27% describe their working relationship with business teams as fair or poor. Given the parade of data breaches over the past few years, one would expect better results. Almost half (46%) of cybersecurity professionals claim that they are solicited by cybersecurity recruiters at least once per week. This leads to salary inflation and attrition in the cybersecurity ranks.To me, the overall state of the cybersecurity skills shortage represents an existential threat. Now as I write this I recognize the risk that my statement could be dismissed as analyst hyperbole, but I’m willing to take this risk based on the overall situation presented in the data.
We already knew that there aren’t enough skilled cybersecurity professionals to go around but now we know that the existing cybersecurity workforce is not adequately trained, managed, or supported. As a result, there’s a sellers’ market for cybersecurity skills, adding costs, disrupting organizations, and increasing risk a troubling and dangerous situation.
I will continue to blog about this important topic and encourage all readers to download and read the report. Your feedback is welcome and encouraged.