I’ve written a lot about the cybersecurity skills shortage lately, based upon data from a new research report titled, The Life and Times of Cybersecurity Professionals, a collaborative effort done by ESG and the information systems security association (ISSA). The report indicates that:
- 70% of cybersecurity professionals believe that their organizations have been impacted by the cybersecurity skills shortage.
- What type of impact? Sixty-three percent say that the cybersecurity skills shortage has increased the workload on existing staff, 41% have had to hire junior personnel in lieu of more experienced staff, and 41% claim that the cybersecurity staff spends a disproportional amount of time on incident response and limited time on planning and strategy.
- The areas where the skills shortage is most acute include security investigations/analysis (31%), application security (31%), and cloud security (29%).
In aggregate, many organizations don’t have enough cybersecurity staff and lack some (or many) advanced skills.
The research revealed another disturbing trend around cybersecurity training. Much like the state of health care and medicine, cybersecurity changes all the time based upon hackers’ tactics, techniques, and procedures (TTPs), new technologies, etc. Consequently, continuous education is essential.
Cybersecurity professionals get this requirement. According to the ESG/ISSA research, 96% of cybersecurity professionals strongly agree or agree that they must keep up with their skills or the organizations they work for will be at a significant disadvantage against today’s cyber-threats.
Clearly, cybersecurity pros should keep their skills up to date through continuous education and training but unfortunately, the research also indicates that this isn’t happening as:
- Two-thirds (67%) admit that they try to keep up with training but lament that it is hard to do so because of the demands of their jobs.
- Only 38% of cybersecurity pros say that their organizations provide the right level of training and education on the latest threats and TTPs. Alarmingly, 27% of survey respondents say that their organization should provide significantly more.
Allow me to summarize this data for emphasis: Most cybersecurity pros are too busy to keep up with training on their own. Employers aren’t helping – most aren’t supporting the cybersecurity staff with an adequate level of training.
This is a disturbing situation that needs to be rectified as soon as possible. CISOs must:
- Assess the skills level of the cybersecurity staff and identify skills deficits.
- Find ways to address workload bloat by investing in security automation, staff augmentation, and managed services.
- Provide ample opportunities for skills development through onsite training, mentoring, networking, and continuing education.
- Measure and compensate the cybersecurity staff (and themselves) on skills development.
Note that the ESG/ISSA research report is available for free download here. Your feedback is welcome.