Each year, ESG does an annual global survey on the state of IT – the business value of IT, new IT initiatives, areas of concern, etc. This year’s research is based upon a survey of 620 IT and cybersecurity professional across all industries, with respondents working in North America and Western Europe.
ESG asks respondents to identify areas where they have a “problematic shortage” of skills on an annual basis. Once again in 2018, survey respondents say that cybersecurity represents the biggest area where their organizations have a problematic shortage of cybersecurity skills. The #2 response was IT architecture/planning, and the #3 response was server/virtualization administration.
What’s especially alarming is the steady growth we’ve seen over the years:
- 2014: 23% of respondents claimed that their organization had a problematic shortage of cybersecurity skills.
- 2015: 25% of respondents claimed that their organization had a problematic shortage of cybersecurity skills.
- 2016: 46% of respondents claimed that their organization had a problematic shortage of cybersecurity skills.
- 2017: 45% of respondents claimed that their organization had a problematic shortage of cybersecurity skills.
- 2018: 51% of respondents claimed that their organization had a problematic shortage of cybersecurity skills.
Oh, and in each of these years, cybersecurity was consistently the largest problematic skills shortage area.
This data aligns with the results of the 2017 ESG research project with the Information Systems Security Association (ISSA). In the ESG/ISSA study, 70% of cybersecurity professionals claimed that their organization was impacted by the cybersecurity skills shortage, with ramifications like an increasing workload on cybersecurity staff, the need to hire and train junior personnel rather than experienced cybersec pros, and a situation where the cybersecurity team spends most of its time dealing with the emergency Du Jour, leaving little time for training, planning, strategy, etc. (Note: This report is available for free download here.)
Based upon ESG research, other industry research, and lots of discussions with CISOs and cybersecurity professionals, I can only conclude that the cybersecurity skills shortage is getting worse. Given the dangerous threat landscape and a relentless push toward digital transformation, this means that the cybersecurity skills shortage represents an existential threat to developed nations that rely on technology as the backbone of their economy, critical infrastructure, and society at large.
The cybersecurity skills shortage impacts organizations of all sizes, industries, and geographies. This means that CISOs should consider the implications of the skills shortage in every decision they make. Smart CISOs are doing their best to cope with this situation by:
- Consolidating and integrating security technologies. This includes building an integrated security operations and analytics platform architecture (SOAPA) that lets them manage and utilize security technology holistically rather than on a tool-by-tool basis.
- Moving toward technologies with advanced analytics. Think of AI and machine learning as a helper application that can accelerate security processes and make the staff more productive.
- Automating and orchestrating processes. Cybersecurity grew up with a reliance on manual processes but these processes can no longer scale to meet growing demands. As a result, security automation/orchestration has become a top priority for many organizations.
- Taking a portfolio management approach to security. CISOs are taking stock of their people, skills, and limitations, and managing accordingly. How? Using cloud computing, SaaS offerings, and managed security services to cut costs, simplify security infrastructure, or delegate specific security controls and operations to 3rd
- Investing in their people. Experienced infosec pros can change jobs at will and greatly increase their compensation in the process. To safeguard against massive attrition, CISOs are increasing staff compensation, investing in career development, mentoring, and training, providing opportunities for the staff to get involved in security research, and encouraging cybersecurity staff members to network with others through professional organizations like ISSA and others.