Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:10 PM
Connect Directly

How the Skills Gap Strains and Constrains Security Pros

New ISSA/ESG survey underscores increasing pressures and security fallout of a strapped security team.

Most cybersecurity professionals are struggling with heavier workloads and insufficient time to properly master and deploy all of their security tools' features, as well as hone their own skills, according to a new report.

The third annual Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA) International report on the state of cybersecurity professionals worldwide says nearly three-quarters of organizations are dealing with the fallout of the industry's skills gap. In the past two years, nearly half of the organizations surveyed suffered at least one damaging security incident in which a critical system was compromised, according to the report.

More than 65% of security pros say their current job demands typically impede their ability to develop and advance their skills, and 47% say they can't fully learn and use some security technologies to their "full potential."

"Cybersecurity professionals don't have the luxury of time to improve their skills and manage their careers," says Jon Oltsik, senior principal analyst and fellow at ESG and author of the report. That's a dangerous trend given the increasing demands of more IT devices, applications, and cloud migration without advancing security with these IT moves, he notes.

Overall, cybersecurity pros are fatalistic about their ability to protect their organizations from attackers: A full 91% say most organizations are vulnerable to a major cyberattack, and 94% say cybercriminals and nation-state hackers have the edge over defenders.

"Cybersecurity professionals feel their organizations are at a significant disadvantage if they don't have the ability to acquire new skills," says Candy Alexander, president of ISAA International and an executive cybersecurity consultant.

The report, which drew from a survey by ESG of 267 security and IT pros from ISSA and other groups worldwide, highlights the disconnect between the increasing demands on security pros and the lack of sufficient training and support they need to stay on top of threats.

Some 63% say their organization fails to properly train security staff, which is lacking most glaringly in cloud security, application security, and security analysis and investigation talent.

Filling vacancies and expanding teams takes time. According to a recent ISACA report, finding and hiring qualified cybersecurity pros takes longer than ever now: Thirty-two percent of organizations say filling a position takes six months, up from 26% last year, and more than 60% of organizations say positions sit vacant for at least three months, up from 55% last year.

Stressed Out
Some of the biggest stressors for security pros lie in-house: keeping abreast of new IT projects (40%), learning about new IT projects launched without input or help from the security team (39%), getting end users to embrace best security practices (38%), and getting the business side to better comprehend the risks of cyberthreats (37%).

According to Alexander, those and other organizational stresses are driving some CISOs out the door and to gigs as so-called virtual CISOs, where they operate as a contractor CISO for an organization. It's sort of a next-generation consultant role for C-level security executives. Some 10% of organizations in the survey employ a virtual CISO, while nearly 30% of CISOs in the survey work on this contractor basis, 21% are thinking about doing so, and 33% say they would weigh that option in the future.

That jibes with Alexander's own career path from a traditional CISO to virtual CISO, she says. "It's been a natural progression. Part of that driver is the frustration and stress of being an FTE [full-time employee] CISO," she says. "By going into this virtual space, I am now able to go and do the work without having to prove the value [of the work]. Organizations who hire virtual CISOs know what they need, and you're not fighting organizational challenges that could include fighting for budget."

Meanwhile, cybersecurity professionals remain in high demand in what is still a seller's market. Some 77% of cybersecurity pros are contacted by recruiters at least once a month, and 44% at least once a week. "If you want to develop your career, cybersecurity will have no shortages of offers," Oltsik notes.  

Tipping Point
Among the suggestions security pros have for their organizations is to add cybersecurity goals and metrics for IT and business managers, increase training for the security team as well as nontechnical staff, and provide higher security budgets, according to the report.

"We're at a tipping point in cybersecurity: It's more strategic to the business now, and things that were done in the past aren't really working. If you realize that's the case, then you have to start with strategic changes so the CISO can come in and ... help put [together] the right security program and strategy," Oltsik says.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[email protected],
User Rank: Moderator
5/10/2019 | 1:52:23 PM
How the Skills Gap Strains and Constrains Security Pros
Kelly great article.  Is it possible the industry professionals are creating or perpetuating the problem?  I learned from a senior military NCO many years ago, "You're expendable!"  For these professionals to make the statement "they don't have time", sets themselves and the company they work for up for failure, disaster, breaches, you pick.  I took from your article that this is a mentality of the sky is falling in the security realm.  May I ask, how many of these companies are helping themselves and their security team by creating or are actively engaged in finding a solution outside of the traditional ways? This is a self-inflicted wound as we'd say in the military.  It could have been avoided, most importantly it can be corrected.  This situation is a SNAFU and not a FUBAR.

Kelly, if such a high percentage believe the Opposing Force has the edge, a repeatable solution has to be implemented to stave them off.  Are these professionals in your article advocating change within their company or are they simply just dealing with it?

Of the 65% impeded by their jobs, what percentage have onboarded a junior security member?  How many are willing to take on a junior member to mentor?  Is it more productive to be tired and burned out as security professional or to be focused?  How many have made an investment to aid in growth?  I've read many articles similar to yours stating the same thing, but I've only read one this year where the writer proposed a solution.  Here's my two cents.

Investing is done with a goal of receiving "something" in the near or distance future.  Investing is intentional and planned.  Investing is purposeful, planned and should be well executed.  How many of the professionals surveyed are investing in an aspiring or junior security professional?  "Nothing from nothing leaves nothing", no investing in the future means no return, therefore, no gain or in this case no progress in finding a solution to the frustration and burnout these professionals are experiencing.

As as an SME in my fields, in the military, I learned when and what to delegate.  Without delegation being overworked, stressed and substandard performance are guaranteed.  Delegation is not dumping your undesired tasks onto some else's plate, it's giving another individual the opportunity to learn, with oversight.  Yes, you have will spend time training that individual and in the beginning your workload is increased, but in the end a professional is created and a more manageable workload surfaces.  Oversimplified?  Yes, it is, but it's a recipe for a beginning.

I was trained to find solutions to problems and that failure was not an option.  This crisis in the making is manageable.  Just my two cents.
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.