The cybersecurity skills crisis continues to worsen for the fourth year in a row and has impacted nearly three quarters (70 percent) of organizations, according to a new report from the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG).
The top ramifications of the skills shortage for organizations (or cybersecurity teams) include an increasing workload, unfilled open job requisitions, and an inability to learn or use cybersecurity technologies to their full potential, putting organizations at significant risk.
The study confirms that there has been no significant progress towards a solution to the problem of the cybersecurity skills gap during the four years it has been closely researched. In fact, 45 percent of respondents state the cybersecurity skills shortage and its associated impacts have only gotten worse over the past few years.
“As this and past reports clearly indicate, key constituents are not looking at the profession strategically. While we are making some fragmented progress, the same issues present themselves year after year,” said Jon Oltsik, Senior Principal Analyst and ESG Fellow.
Cybersecurity professionals need a comprehensive globally accepted career development plan
Without guidance and a clear path to follow, it is difficult for new candidates to know what is needed and how to acquire the skills necessary to enter the profession. Current professionals are far too often left figuring out how to advance their careers on their own. The ESG/ISSA research reinforces these points as:
• Cybersecurity professionals continue to need career guidance. Sixty-eight percent of the cybersecurity professionals surveyed don’t have a well-defined career path and historical solutions are only compounding problems.
• Cybersecurity careers depend upon hands-on experience and hands-on experience requires a job. When asked which was most important for their career development: hands-on experience or security certifications, 52 percent chose hands-on experience. Still, 44 percent claim that hands-on experience and certifications are equally important. This combination requires the right job, the right experience, and the right career plan but few cybersecurity professionals can claim this combination.
• It takes years to become a proficient cybersecurity professional. Thirty-nine percent believe it takes anywhere from 3 to 5 years to develop real cybersecurity proficiency, while 22 percent say 2 to 3 years and 18 percent claim it takes more than 5 years. This means that entry level cybersecurity pros should be viewed as long-term investments, not immediate problem solvers.
Businesses are not investing in their people or supporting cybersecurity integration within the organization
Sixty-four percent of respondents believe their organization should be doing somewhat or a lot more to address cybersecurity challenges. ESG and ISSA believe that business executives see this as a technical problem rather than a business issue.
• Organizations are not providing the right level of cybersecurity training. Thirty-six percent of respondents reported that they thought that their organizations should provide a bit more cybersecurity training, while 29 percent believe their organizations should provide significantly more training. Further, 28 percent believe they are not providing enough training for non-technical employees. Based on 4 years of research, training seems to be a perpetual shortcoming. Alarmingly, there seems to be on plan for improvement.
• CISOs and business executives could do more together. Fifty-five percent believe there is adequate CISO participation with executives and corporate boards in 2020, trending upward slightly. Still, 24% think that CISOs and business executives could do more together.
Other critical constituencies were also rated on their ability to keep up with cybersecurity challenges and the data indicates that industry and community at large need to step up: For example, 68 percent of respondents believe that cybersecurity technology and service vendors should be doing somewhat or a lot more and 71 percent of respondents believe the cybersecurity community at large should be doing somewhat or a lot more.
“The cybersecurity gap cannot be addressed by simply filling the pipeline with new people. What’s needed is a holistic approach, starting with public education, comprehensive career development and planning, and career mapping – all with the support and integration with the business,” said Candy Alexander, Board President, ISSA International.