ESG Videos

Announcer: The following is an ESG video blog.

Jon: Cybersecurity professionals are on the front line of an increasingly dangerous battle with sophisticated cyber-adversaries. This is a difficult challenge in itself, given the global shortage of cybersecurity talent. According to ESG research published earlier this year, 46% of organizations claimed to have a problematic shortage of cybersecurity skills at present.

ESG and other industry organizations have reported on this cybersecurity personnel deficit for many years, but what about the existing workforce? Are cybersecurity professionals happy with their career choice? Are they actively managing their careers? Are they being properly trained? Or are they just overwhelmed?

To answer questions like these, the Enterprise Strategy Group and Information Systems Security Association, or ISSA, teamed up and initiated a primary research project in mid-2016 with the goal of capturing the voice and thoughts of cybersecurity professionals on the state of their profession. And gaining a perspective on situational analysis from those closest to this fight.

In pursuit of this goal, ESG and ISSA surveyed 437 information security professionals. Survey respondents represented organizations of all sizes, and included professionals located in all parts of the world. Through this project, ESG and ISSA learned many things, including many cybersecurity professionals struggled to define their career paths. Sixty-five percent of respondents do not have a clearly-defined career path or plans to take their career to the next level.

This is likely due to the diversity of cybersecurity focus areas, the lack of a well-defined professional career development standard and map, and the rapid changes in the cybersecurity field itself. Business, IT, and cybersecurity managers, academics, and public policy leaders should take note of today's cybersecurity career morass, and develop and promote more formal cybersecurity guidelines and frameworks that can guide cybersecurity professionals in their career development in the future.

Cybersecurity certifications are a mixed bag. Fifty-six percent of survey respondents had received a CISSP and felt it was a valuable certification for getting a job and gaining useful cybersecurity knowledge. Other than the CISSP certification, however, cybersecurity professionals appeared lukewarm on other types of industry certifications.

Based upon this data, it appears that security certification should be encouraged for specific roles and responsibilities, but downplayed as part of a cybersecurity professional's overall career and skills development.

Continuous cybersecurity training is lacking. When asked if their current employer provides the cybersecurity team with the right level of training to keep up with business and IT risk, 56% answered "No," suggesting that their organizations needed to provide more or significantly more training for the cybersecurity staff.

This represents one of the red flags uncovered in this research project. Organizations that don't provide continuous training to cybersecurity training will fall farther behind cyber-adversaries, while increasing business and IT risk. This should be an unacceptable situation for all business and technology managers.

Cybersecurity professionals are in extremely high demand. Forty-six percent are solicited to consider other cybersecurity jobs at least once per week. Cybersecurity skills represent a seller's market, where experienced professionals can easily find lucrative offers to leave one employer for another.

Turnover in the cybersecurity ranks could represent an existential risk to organizations, since cybersecurity is often based upon manual processes and personal experience. This is especially true in lower-paying industries like academia, healthcare, the public sector, and retail.

The entire report and executive summary are available for free download from both the ESG and ISSA websites. Given the magnitude of current cybersecurity issues, ESG encourages all cybersecurity professionals, vendors, and other interested parties to read the report. Our goal is to make next year's report even better, so please get back to us with your feedback.