The cybersecurity skills shortage has gotten worse for the third consecutive year, impacting 74% of organizations worldwide, according to a Thursday report from the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG).
The report surveyed 267 cybersecurity professionals worldwide, and respondents reported that they believe the skills gap to be a primary cause for the rise in cybersecurity incidents. Nearly half (48%) of respondents said they experienced at least one security incident over the past two years that led to serious ramifications, including lost productivity, high costs for remediation, disruption of business processes and systems, and breaches of confidential data.
SEE: 10 tips for new cybersecurity pros (free PDF) (TechRepublic)
Cybersecurity professionals remain skeptical of their chances for successfully protecting their organization, the report found. The majority (91%) said they believe most organizations are vulnerable to significant cyberattacks, and 94% said they believe the balance of power is tipped toward cybercriminals instead of cyber defenders.
Even with these concerns, 63% of organizations have fallen behind on providing adequate training for cybersecurity professionals, the report found. The largest skills shortages are now in the areas of cloud security (33%), application security (32%), and security analysis and investigations (30%).
“Cybersecurity progress has been marginal at best over the last three years,” Jon Oltsik, senior principal analyst and fellow at ESG and the author of the report, said in a press release. “This should be of concern to technologists, business executives and private citizens and continues to cause an existential threat to national security.”
Cybersecurity professionals are dedicated to their craft: 42% of those surveyed have worked in the field for at least 10 years, the report found. The majority of cybersecurity pros (79%) said they started their career as IT professionals, and were attracted to the technical challenges and moral implications associated with security work. However, only 31% said they feel they have a well-defined career path today, and most said that they believed their career would benefit from activities like mentoring and career mapping.
Despite a lack of career guidance and staffing shortages, the cybersecurity professional’s workload continues to grow, the report found, leading to more time spent fighting fires and higher levels of burnout.
Here are the 10 most stressful aspects of the cybersecurity job:
- Keeping up with the security needs of new IT initiatives (40%)
- Finding out about IT initiatives/projects that were started by other teams within my organization with no security oversight (39%)
- Trying to get end users to understand cybersecurity risks and change their behavior accordingly (38%)
- Trying to get the business to better understand cyber risks (37%)
- The overwhelming workload (36%)
- Constant emergencies and disruptions that take me away from my primary tasks (26%)
- The fear of getting something wrong (25%)
- Keeping up with internal and regulatory compliance audits (25%)
- Monitoring the security status of third parties my organization does business with (24%)
- Sorting through the myriad of security technologies used by my organization (17%)
Perhaps due to these stressors, 47% of cybersecurity professionals report that they are only somewhat satisfied with their current job compared to 39% who say they are very satisfied, 10% who are not very satisfied, and 4% who are not at all satisfied, the report found.
The high levels of cybersecurity shortages have created a seller’s market for cybersecurity talent: In 2018, 77% of ISSA members said they were solicited for new jobs at least once a month, the report found.
“Organizations are looking at the cybersecurity skills crisis in the wrong way: it is a business, not a technical, issue,” Candy Alexander, executive cybersecurity consultant and president of ISSA International, said in the release. “Business executives need to acknowledge that they have a key role to play in addressing this problem by investing in their people…the research shows in order to retain and grow cybersecurity professionals at all levels, business leaders need to get involved by building a culture of support for security and value the function.”
For more, check out Infographic: How to solve the cybersecurity talent gap in your organization on TechRepublic.