I’ve been writing about the cybersecurity skills shortage for 7 years, clucking like a digital "chicken little" to anyone who would listen. If you’ve followed my blogs, you probably know that ESG research from early 2017 indicated that 45% of organizations said they have a problematic shortage of cybersecurity skills. This data represents large and small organizations across all geographic regions so the cybersecurity skills shortage can be considered a pervasive global issue.
I’ve noticed that most people interpret the ESG (and other) data about the cybersecurity skills shortage from a jobs perspective. In other words, they view the skills shortage as a situation where there are more cybersecurity jobs available than there are people to fill them.
While this is true, it minimizes the scope of the problem at hand. Rather than simply focus on the jobs deficit, we need to understand the wide-ranging ramifications the cybersecurity skills shortage is having on the cybersecurity community, the organizations they work for, and society at large.
ESG set out to look at these issues through a research project conducted in collaboration with the Information Systems Security Association (ISSA). For starters, we asked 343 cybersecurity professionals (and ISSA members) whether the cybersecurity skills shortage has had any impact on the organizations they work for. Twenty-seven percent of survey respondents say that the skills shortage has had a significant impact on their organization while another 43% say that the cybersecurity skills shortage has had somewhat of an impact.
Taken together, 70% of organizations were affected by the cybersecurity skills shortage, but what is the real impact here? Here’s how cybersecurity professionals answered this question:
- 63% say that the cybersecurity skills shortage has led to increasing workload on the existing staff. No surprise here but think about the consequences like an overwhelmed cybersecurity team, high burnout rates, human error, and the Peter principle at work.
- 41% say that they’ve had to hire and train junior employees rather than hire people with the appropriate level of skills needed. This is an admirable and creative effort but it also translates to a lengthy skills gap time frame while junior employees get up to speed. In the meantime, risk increases, attacks go undetected, and problems go unresolved.
- 41% say that the cybersecurity staff is forced to spend a disproportional amount of time on high-priority issues and incident response with limited time spent on planning, strategy, or training. Think of the cybersecurity team as firefighters with new blazes constantly starting across IT. It would be difficult for anyone to maintain this pace for long. Meanwhile, organizations have no time for proactive measures to improve cybersecurity efficacy, streamline operations, or mitigate risk. This means they aren’t prepared for emerging threats and continue to rely on a culture of emergency response.
- 39% say that the cybersecurity staff has limited time to work with business units to align cybersecurity with business processes. You’ve heard the rhetoric that "cybersecurity is a boardroom issue"? The ESG/ISSA research says that this is far from universally true. To this day, too many business leaders opt for "good enough" security and don’t work collaboratively with the cybersecurity team. Oh, and this research suggests that the cybersecurity skills shortage only exacerbates the infosec/business gap.
- 39% say that the cybersecurity skills shortage has led to a situation where cybersecurity professionals are unable to learn and/or fully utilize their security technologies to their full potential. This indicates that organizations are purchasing new security technology and then are too busy to use them correctly. Hmm, not much ROI here.
To summarize, the cybersecurity skills shortage is having an impact on people (i.e., overwhelming workload, limited time for training, etc.), processes (i.e., limited proactive planning, limited time to work with business units, etc.) and technology (i.e., limited time to customize or tune security controls, etc.). In aggregate, all of us are being protected by an understaffed and under-skilled workforce and the data suggests that things are only getting worse.
I’ve said it before but allow me to assume the role of "cyber chicken little" again: The cybersecurity skills shortage represents an existential threat to our national security. As an industry, society, and community, we must stop pussyfooting around this issue and work together toward some real solutions.
The ESG/ISSA report is available for free download here. We’ve made the report free for download because we truly believe that these issues need more attention and it is our goal to use this research to facilitate a broader discussion. I’ll also be blogging religiously about this data for a while.