The cyber security skills crisis continues on a downward, multi-year trend of bad to worse and has impacted more than half (57%) of organisations, as revealed in the fifth annual global study of cyber security professionals by the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG). This annual study seeks to understand the perspectives of the people on the information security career path to help others understand the challenges of this important field.
The new research report, The Life and Times of Cybersecurity Professionals 2021, surveyed 489 cyber security professionals and reveals several nuances surrounding the well-documented cyber security skills shortage. The top ramifications of the skills shortage include an increasing workload for the cyber security team (62%), unfilled open job requisitions (38%), and high burnout among staff (38%). Further, 95% of respondents state the cyber security skills shortage and its associated impacts have not improved over the past few years and 44% say it has only gotten worse.
Notably, the three most-often cited areas of significant cyber security skills shortages include cloud computing security, security analysis and investigations, and application security. These areas should be the focus for cyber security professionals when looking to develop skills.
Cyber security professionals undervalued
According to the researchers, businesses are not investing in their people in a manner that appropriately reflects the direness of today’s cyber threat landscape. A striking 59% of respondents said their organisation could be doing more to address the cyber security skills shortage, with nearly one-third noting that their organisation could be doing much more.
Cybersecurity professionals need fair and competitive compensation. This came up several times in the research report and is clearly critical to hiring and retaining security personnel. In a new finding this year, not offering competitive compensation is the top factor (38%) contributing to the organisations’ cyber skills shortage because it makes it difficult to recruit and hire the cybersecurity professionals that organisations need. More than three-quarters (76%) of organisations admit that it is difficult to recruit and hire cyber security staff, with nearly one-fifth (18%) stating it is extremely difficult. Being offered a higher compensation package is the main reason (33%) CISOs leave one organisation for another.
More investment in training
The report found that cyber security training needs to be funded appropriately. When asked what actions organisations could take to address the cyber security skills shortage, the biggest response (39%) was an increase in cyber security training so candidates can be properly trained for their roles. The main reason cited for not meeting the training requirements was that their jobs do not pay for it and they can’t afford it by themselves, according to nearly half (48%) of respondents.
The cyber security training paradox continues and needs attention. Nearly all (91%) respondents agree that cyber security professionals must keep up with their skills or the organisations they work for are at a significant disadvantage against today’s cyber-adversaries. Despite this need, 82% state that while they try to keep up with cyber security skills development, job requirements often get in the way—the paradox that professionals face where they are called upon to make up for the existing skills shortage in addition to falling behind on their own development.
Lack of understanding causes recruitment issues
Human resources and cyber security teams need to align on business value. Nearly one in three (29%) professionals surveyed said the HR departments at their organisations likely exclude strong job candidates because they don’t understand the skills necessary to work in cyber security. One in four also said job postings at their organisations tend to be unrealistic, demanding too much experience, too many certifications, or too many specific technical skills. Nearly a third (30%) suggested CISOs try to better educate HR and recruiters on real-world cyber security goals and needs and 28% said job recruitments need to be more realistic with the typical levels of experience cyber security professionals have.
Good cyber security will improved core business
Business and cyber leaders need to work together to improve organisational dynamics. Business executives must embrace cyber security as a core component of the business while CISOs need to move their people, processes, and technologies closer to the business. Organizations should be alarmed by the fact that:
“There is a lack of understanding between the cyber professional side and the business side of organisations that is exacerbating the cyber skills gap problem,” said Candy Alexander, Board President, ISSA International. “Both sides need to re-evaluate the cyber security efforts to align with the organisation’s business goals to provide the value that a strong cyber security programme brings towards achieving the goals of keeping the business running. Cyber security leaders should be able to link the security efforts directly to strategic business goals.”
Deep seated issues
“This report reveals some deep-seated issues with cyber security professionals and their organisations,” said Jon Oltsik, Senior Principal Analyst and ESG Fellow. “ESG and ISSA hope that cyber security professionals use this research to better understand their profession and peers as they manage their careers. For business and cyber security professionals, the data should be seen as a set of guidelines for maximizing cyber security investment, improving cyber security job satisfaction, and aligning cyber security with the business mission. The message is clear: Organisations with a cybersecurity culture are in the best position.”