A study carried out by the Enterprise Strategy Group (ESG), and the Information Systems Security Association (ISSA) professionals reveal that cybersecurity skills continue to deteriorate for the fourth year in a row. This situation has affected over 70% of organizations putting their operations at risk. The effects of the cybersecurity skills gap include an increase in workloads, inability to fill open job postings, and the inability of organizations to use cybersecurity tools effectively. The study, which has been ongoing for ten years, says there has been no progress in addressing the problem of demand and supply of cybersecurity professionals within the past four years. The study interviewed 327 cybersecurity professionals and ISSA members from North America (92%), Europe (4%), Asia (3%), and about 1% from Central and South America.
Key findings of the cybersecurity skills gap study
The study revealed that the lack of a well-defined career path for cybersecurity professionals was to blame for the cybersecurity skills gap. About 68% of the professionals interviewed did not have a defined career path. Additionally, historical solutions implemented to address the problem only made it worse.
The cybersecurity skills gap was also attributed to the need for hands-on experience for professionals to join the cybersecurity industry. However, gaining this experience required the workers to have cybersecurity jobs in the first place. This requirement barred new cybersecurity talent from succeeding in the industry. Consequently, when asked what was more important for their career development, 52% of respondents chose hand-on experience while 44% selected both experience and cybersecurity certification.
The research also attributed the cybersecurity skills gap to the number of years needed to gain proficiency. 39% of respondents said it took between 3 and 5 years to achieve competency, while 22% said the period was between 2 and 3 years. Close to a fifth (18%) of the respondents said it took more than five years.
Organizations are also to blame for the cybersecurity skills gap. The majority of the respondents (64%) said their organizations do not invest in cybersecurity professionals. Over a third (36%) said their organizations should provide “a bit more” cybersecurity training, while 29% believed their companies should provide “significantly more” training for their cybersecurity workforce. 28% said their organizations were not providing enough training for the non-technical staff.
A vast majority of respondents believed cybersecurity vendors should do “somewhat or a lot more” (68%), while 71% said the cybersecurity community should be doing the same.
Jon Oltsik, Senior Principal Analyst and ESG Fellow said the same issues of “shortage of skills, under-trained employees, and the stress and strain caused by a career in the cybersecurity field” were recurring every year. He said business executives needed to be more concerned about these problems, especially when cybercriminals were scaling their efforts in waging cyberattacks.
Oltsik believes the lack of enough cybersecurity professionals had significant impacts on cybersecurity teams by increasing their workload. The situation also causes hiring more entry-level workers instead of providing more training for seasoned professionals. The new hires take years to learn, are unable to improve their skill sets, and fail to achieve their full potential because of the lack of cybersecurity skills within the organizations. Consequently, organizations invest money without receiving a return on their investments.
Candy Alexander, Board President of ISSA International, said filling the pipeline with new people would not solve the cybersecurity skills gap. She said a holistic approach involving education, career development, planning, and mapping was necessary to address the cybersecurity skills shortage.
When asked why there has been no progress in addressing the problem for decades, Alexander says:
“When looking deeper into the data, it becomes clear that professionals are stating that they are not receiving the opportunities to keep up to date on their skills because workloads are so significant that there is no time left to learn. It is a catch 22 situation. It is also clear upon looking closely at the data that the problem goes beyond technology and should be addressed holistically as a business issue. For example, businesses are investing in technology to protect their data. They may or very well may not understand why or are able to make the connection. So, therefore it is a technology issue. But in reality, there needs to be better communication and insight to business as to why the investment of training is just as important to protect their environment as it is to invest in technology. It’s kind of like buying top of the line jet fighters but asking a commercial airline pilot to fly it. Sure, they can get it to take off, stay in the air, and land it. But, can they use the jet fighter to its fullest capability – and know the techniques from experience to use the jet to its fullest potential. The answer there would be no because the commercial airline pilot needs training. This only compounded with the fact that many CISOs come from the technical community. When you look at job descriptions – that is what business are looking for. But let’s face it, technologists don’t always articulate HOW their security strategy will support the organization’s strategy. We, as security leaders, need to be able to align our programs to directly support things like revenue generation, which is hard when security is seen as a cost center.”