Here’s a quick review of some of the cybersecurity skills shortage data I’ve cited in recent blogs:
- According to ESG research from early 2017, 45% of organizations claim to have a problematic shortage of cybersecurity skills.
- In a recent research project conducted by ESG and the information systems security association (ISSA), 70% of cybersecurity professionals say that the cybersecurity skills shortage has had an impact on their organization. The skills shortage has led to an increasing workload on existing staff, the need to hire and train junior employees due to the lack of experienced talent, and a situation where the cybersecurity staff spends most of its time on emergency issues and very little time on proactive strategic planning or training.
- When asked to identify factors that contributed to past security incidents, 22% said that their cybersecurity team was not large enough for the size of their organization while 18% stated that the cybersecurity team cannot keep up with the workload.
- More than two-thirds (67%) of cybersecurity professionals claim that they are too busy with their jobs to keep up with skills development and training.
So, in aggregate, many organizations are understaffed, lack some (or many) types of advanced cybersecurity skills, and the staff is too busy to invest time in continuing education to keep up with the latest threats. Yikes!
CISOs recognize these issues and many organizations are actively hanging a ‘help wanted’ sign to find cybersecurity talent. Unfortunately, it is exceedingly difficult to bring new people onboard. Why? Experienced cybersecurity professionals are in high demand so organizations are engaged in a battle royale to coax them away from their present employers and outbid others for their services.
Here’s a scary statistic that backs up this claim: According to a recently published ESG/ISSA research report titled, The Life and Times of Cybersecurity Professionals, 49% of cybersecurity professionals are solicited to consider other cybersecurity jobs by various types of recruiters at least once per week! Further analyzing this data:
- Cybersecurity leaders are heavily recruited, as 61% of CSOs/CISOs and VP-level candidates are solicited to consider other cybersecurity jobs by various types of recruiters at least once per week.
- 66% of cybersecurity professionals working in health care are solicited to consider other cybersecurity jobs by various types of recruiters at least once per week.
- Weekly recruitment is about equal, around 50% for cybersecurity professionals in North America and Europe.
This data suggests that CISOs should be prepared to spend a lot of money for new talent – if they can find people to respond to their ads or return recruiters' phone calls.
I’ve lived with lots of data about the cybersecurity skills shortage for many years and talk to dozens of CISOs annually about their staffing problems. I can only conclude that the cybersecurity skills shortage is getting worse over time and that it represents an existential threat to our economy and national security.
Note that the ESG/ISSA report is available for free download here. Your feedback is most welcome.