According to ESG research, 51% of organizations report having a problematic shortage of cybersecurity skills in 2018. This is up from 45% in 2017.
The cybersecurity skills shortage has multiple implications. Organizations don’t have the right sized teams and operate in a perpetually understaffed mode. Often, the cybersecurity team lacks some advanced skills in areas like security analytics, forensic investigations, or cloud computing security, putting more pressure on the most experienced staffers to pick up the slack. Finally, many organizations are so busy with day-to-day security operations that they have little time for ongoing cybersecurity training. According to research from ESG and the information systems security association (ISSA), 62% of cybersecurity professionals believe that their organization is not providing an adequate level of training for them to keep up with business and IT risks.
Clearly the cybersecurity skills shortage is affecting organizations, but what’s often overlooked is the impact it has on the cybersecurity pros in the trenches. For example, the ESG/ISSA research indicates:
- 70% of cybersecurity professionals say that the cybersecurity skills shortage has had some impact on their organization. Of course, they are living this impact.
- 63% of cybersecurity professionals say that the cybersecurity skills shortage has increased the workload on existing staff. More work and stress at the same salary is a surefire recipe for dissatisfied employees and high attrition.
- 41% of cybersecurity professionals say that the cybersecurity skills shortage has led to a situation where the infosec staff spends a disproportional amount of time dealing with high-priority issues and incident response. This means that many cybersecurity pros face a high-stress workplace from the beginning to the end of their workdays.
- 68% of cybersecurity professionals believe that a cybersecurity career can be taxing on the balance between one’s personal and professional life. In other words, infosec pros are taking the pressure of their jobs home with them. It’s safe to assume that this can lead to issues like substance abuse and others.
- 38% of cybersecurity professionals say that the cybersecurity skills shortage has led to high burnout rates and staff attrition. This affects cybersec pros and the organizations they work for.
It’s worth remembering that cybersecurity pros tend to take their jobs very personally. To paraphrase Elliot Alderson (of Mr. Robot), cybersecurity professionals want to save the world so they become emotionally invested in their careers, adding to the stress levels. Alarmingly, the ESG/ISSA research also reveals that 60% are not very satisfied with their current job. Since many of these folks are suffering from cybersecurity job fatigue, can you blame them?
At the risk of continuing to sound like Chicken Little, I believe the cybersecurity skills shortage represents an existential threat to all of us. The organizations we regularly trust with our data don’t have enough trained people or advanced skills to adequately protect it. Furthermore, the cybersecurity professionals they depend upon are overworked, highly-stressed, and prone to burn out.
No one is talking about it, but I believe that cybersecurity job fatigue is a real, growing, and troubling problem, exacerbated by the global cybersecurity skills shortage and the increasingly dangerous threat landscape. To address this, CISOs must assess the state of mind of key staff members, create work schedules to rotate personnel off the front lines, and provide the right levels of support, stress relief programs, and career counseling.