Stats on the Cybersecurity Skills Shortage: How Bad Is It, Really?
Is it just a problem of too few security professionals, or are there other reasons enterprises struggle to build infosec teams?
April 11, 2018
While plenty of CISOs today find ways to successfully build out effective cybersecurity teams, most industry pundits agree that the process is a bear. One of the biggest complaints is that there just aren't enough experienced, talented security professionals to fill the roles available - but there is talent for the taking if organizations know where to look for it. Nevertheless, the numbers support the fact that market constraints on security brainpower are a very real factor. Here's what the most recent data shows.
According to survey data from ISACA, the majority of organizations struggle to fill their open cybersecurity positions today. Only about half of organizations report they can fill cybersecurity positions in under six months. Fewer than one in 10 organizations say they can speedily fill positions within a month of vacancy.
An annual survey by Cyber Edge Group shows that the cybersecurity skills shortage has increasingly become a priority for security leadership. It's moved from the fifth-most pressing concern to the number one obstacle for putting sound security in place. The roles to experience the biggest shortfalls in available talent are general purpose security admins and SOC responders.
Meanwhile, Dark Reading found in a survey of cybersecurity professionals that it isn't just role-based competencies that are difficult to fill. Some of the hardest skills to find are people skills and a deep knowledge of the risks inherent to the environments and industries relevant to a given organization.
When organizations have a hard time filling security positions, they suffer from very real risk-related consequences. The most obvious is the risk of burnout among the good people on staff. Close to two-thirds of organizations told ISSA and ESG Research that when positions remain unfilled, that means more workload for existing staff - and that usually means more burnt-out staff. Around four in 10 organizations say existing staff are spending time firefighting, which means they're less likely to work strategically on security, less likely to align cybersecurity with the business, and less likely to get the most out of their expensive security spend.
One of the most recent cybersecurity skills surveys conducted by Vanson Bourne on behalf of McAfee found that while 84% of organizations reported some difficulty in bringing on skilled security professionals, a lot of them were also not doing much to truly attract talent. The organizations who complained it was impossible to hire good security people were least likely to offer training opportunities, flexible working hours, or the chance to use new technology.
One of the most obvious ways organizations can overcome the market constraints on security skills is to increase their investment in training. Not only will it improve and maintain skill levels among existing team members but it's also a big recruiting tool for attracting the security go-getters most interested in constantly honing their skills. Unfortunately, a survey by Dark Reading found that fewer than a quarter of organizations can say their security staff is fully up-to-date on training. That's usually due to under-investment in both training materials and work hours devoted to completing training. According to a recent Cybrary survey, only about 15% of employers cover all of their security employee's training expenses.
Many times organizations are afraid to open their wallets to train employees, because they're afraid all that knowledge will be poached by a new company once an employee levels up their skills. After all, nearly half of security professionals report that they are solicited by headhunters and recruiters at least once per week. However, succumbing to the greener pastures training fear is giving up before an organization has even started. Headhunters and other hiring experts say organizations have to work hard to make themselves more attractive in this recruiting environment. That starts most obviously with increasing salaries commensurate with the realities of the shortage, but also means improving work culture through better training, flexible hours, opportunities for advancement, and reasonable workloads.
Finally, organizations that are struggling should also get creative about recruiting. One recent thought from Vanson Bourne and McAfee is to consider tapping into the gaming community. Almost three in four hiring managers say they think hiring experienced video gamers might be a good way to creatively fill security skills gaps, even if those gamers don't have direct cybersecurity knowledge. According to the survey, the attributes of a typical gamer often translate into the kinds of innate skills that hiring managers look for in security pros.
Finally, organizations that are struggling should also get creative about recruiting. One recent thought from Vanson Bourne and McAfee is to consider tapping into the gaming community. Almost three in four hiring managers say they think hiring experienced video gamers might be a good way to creatively fill security skills gaps, even if those gamers don't have direct cybersecurity knowledge. According to the survey, the attributes of a typical gamer often translate into the kinds of innate skills that hiring managers look for in security pros.
While plenty of CISOs today find ways to successfully build out effective cybersecurity teams, most industry pundits agree that the process is a bear. One of the biggest complaints is that there just aren't enough experienced, talented security professionals to fill the roles available - but there is talent for the taking if organizations know where to look for it. Nevertheless, the numbers support the fact that market constraints on security brainpower are a very real factor. Here's what the most recent data shows.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024