The cyber security skills crisis continues on a downward, multi-year trend of bad to worse and has impacted more than half (57%) of organisations, as revealed in the fifth annual global study of cyber security professionals by the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG). This annual study seeks to understand the perspectives of the people on the information security career path to help others understand the challenges of this important field.
The new research report, The Life and Times of Cybersecurity Professionals 2021, surveyed 489 cyber security professionals and reveals several nuances surrounding the well-documented cyber security skills shortage. The top ramifications of the skills shortage include an increasing workload for the cyber security team (62%), unfilled open job requisitions (38%), and high burnout among staff (38%). Further, 95% of respondents state the cyber security skills shortage and its associated impacts have not improved over the past few years and 44% say it has only gotten worse.
Notably, the three most-often cited areas of significant cyber security skills shortages include cloud computing security, security analysis and investigations, and application security. These areas should be the focus for cyber security professionals when looking to develop skills.
According to the researchers, businesses are not investing in their people in a manner that appropriately reflects the direness of today’s cyber threat landscape. A striking 59% of respondents said their organisation could be doing more to address the cyber security skills shortage, with nearly one-third noting that their organisation could be doing much more.
Cybersecurity professionals need fair and competitive compensation. This came up several times in the research report and is clearly critical to hiring and retaining security personnel. In a new finding this year, not offering competitive compensation is the top factor (38%) contributing to the organisations’ cyber skills shortage because it makes it difficult to recruit and hire the cybersecurity professionals that organisations need. More than three-quarters (76%) of organisations admit that it is difficult to recruit and hire cyber security staff, with nearly one-fifth (18%) stating it is extremely difficult. Being offered a higher compensation package is the main reason (33%) CISOs leave one organisation for another.
The report found that cyber security training needs to be funded appropriately. When asked what actions organisations could take to address the cyber security skills shortage, the biggest response (39%) was an increase in cyber security training so candidates can be properly trained for their roles. The main reason cited for not meeting the training requirements was that their jobs do not pay for it and they can’t afford it by themselves, according to nearly half (48%) of respondents.
The cyber security training paradox continues and needs attention. Nearly all (91%) respondents agree that cyber security professionals must keep up with their skills or the organisations they work for are at a significant disadvantage against today’s cyber-adversaries. Despite this need, 82% state that while they try to keep up with cyber security skills development, job requirements often get in the way—the paradox that professionals face where they are called upon to make up for the existing skills shortage in addition to falling behind on their own development.