ESG conducts an annual global survey of IT and cybersecurity professionals, and this year’s survey included 641 global respondents. Each year, these respondents are asked to identify the area where their organizations have a problematic shortage of skills. or the sixth year in a row, cybersecurity skills topped the list—this year, 45% of respondents say that their organization has a problematic shortage of cybersecurity skills.
Now the cybersecurity skill shortage isn’t picky; it impacts all organizations across industries, organizational size, geography, etc. Nevertheless, the global cybersecurity skills shortage may be especially problematic for organizations in the mid-market (from 100 to 999 employees).
Keep in mind that the skills shortage isn’t limited to headcount. Rather, it also includes skills deficiencies—situations where security staff members don’t have the right skills to address the dynamic and sophisticated threat landscape.
In 2016, ESG teamed up with the Information Systems Security Association (ISSA) in a research project focused on cybersecurity professional careers (note: The research report based upon this project is available for free download here). Some of the data from this project illustrates the cybersecurity skills challenge in the mid-market. For example:
- 35% of cybersecurity professionals working at mid-market organizations say that their organization should provide significantly more cybersecurity training so the cybersecurity team can keep up with current risks (i.e., threats and vulnerabilities).
- 30% of cybersecurity professionals working at mid-market organizations say that the cybersecurity skills shortage has had a significant impact on their organization while another 35% say that the cybersecurity shortage has impacted their organization somewhat.
Respondents were also asked to identify the specific impact to their organizations.
- 54% of cybersecurity professionals working at mid-market organizations say that the cybersecurity skills shortage has led to increasing workload for the existing cybersecurity staff.
- 38% of cybersecurity professionals working at mid-market organizations say that the cybersecurity skills shortage has limited the time for training since the cybersecurity staff is too busy keeping up with day-to-day responsibilities.
- 33% of cybersecurity professionals working at mid-market organizations say the cybersecurity skills shortage has impacted their ability to learn and fully utilize their cybersecurity technologies.
- 27% of cybersecurity professionals working at mid-market organizations say the cybersecurity staff has led to an increase in human error in areas like configuring security controls, investigating events, etc.
In summary, mid-market organizations are understaffed, running around putting out fires, and can’t dedicate enough time for cybersecurity training or strategic planning. This has led to a perpetual game of catch-up that seems fraught with human error and staff burn out.
Keep in mind that most mid-market organizations have a small cybersecurity staff of 1 to 5 people so they end up delegating lots of security tasks to IT operations with fewer cybersecurity skills and a whole lot of other work to do.
I’ve been writing about the cybersecurity skills shortage for years (as have others) and this issue certainly garners lip service from academics and the industry. Still, most cybersecurity discussions remain focused on the new technology Du Jour and not enough about people issues.
In my humble opinion, the cybersecurity skills shortage demands more attention as it represents an existential problem that threatens all of us. Just ask cybersecurity professionals working at mid-market organizations.