As I’ve written many times, the cybersecurity skills shortage is the biggest cybersecurity issue we face today. Not only are there too few bodies to fill the cybersecurity jobs, but a recent series of research reports from ESG and the Information Systems Security Association (ISSA) indicates that many currently employed cybersecurity professionals are overworked, not managing their careers proactively, and not receiving the proper amount of training to stay ahead of increasingly dangerous threats. Yikes!
So, the skills deficit is clear but which types of cybersecurity skills are in the highest demand? In the recently published ESG/ISSA research report titled, Through the Eyes of Cybersecurity Professionals, 371 cybersecurity professionals were asked to identify areas where the organizations they worked for had the biggest skills gaps. The results are as follows:
- 33% of respondents say their organization has an acute shortage security analysis and investigations skills. This is a real problem as this skill set takes years to develop. Therefore, organizations will only find skills in this area by luring someone away from their existing job. Little wonder then why the ESG/ISSA research also indicates that 46% of cybersecurity professionals are solicited to consider a new job at least once per week.
- 32% of respondents say their organization has an acute shortage of application security skills. Not a surprise as application security is one of the most important areas of infosec that is too often overlooked. CISOs faced with a skills shortage here should look toward service providers and automated tools from OWASP or vendors like IBM, Veracode, or White Hat Security.
- 22% of respondents say their organization has an acute shortage of cloud security skills. This gap is likely to increase as more organizations move more of their workloads to public and private cloud infrastructure. Alternatively, if you have cloud and security skills, you should have ample opportunities for very high paying jobs.
- 21% of respondents say their organization has an acute shortage of security engineers. Again, this is troubling as these are senior people who perform a vital function—especially as enterprise organizations adopt applications for digital transformation and IoT that may require deep security technology and engineering knowledge.
- 20% of respondents say their organization has an acute shortage of penetration testers. This shortage will likely be a boon to vendors like FireEye, Rapid7, and SecureWorks that can perform these types of services.
The ESG/ISSA data reinforces my position that the cybersecurity skills shortage represents an existential threat. Enterprise organizations, many of those that handle our data and transactions daily, are understaffed and under-skilled. Furthermore, many have an acute shortage of key cybersecurity skills—like cybersecurity engineers, analysts, etc. This scary situation is only getting worse.
Both ESG/ISSA reports are available for free download here. Your comments, questions, and general feedback is welcome.