Cybersecurity skills crisis is affecting 70 percent of organizations
We've been talking about the cybersecurity skills gap for more than a decade, but new research from the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) reveals it's not going away.
The shortage has impacted 70 percent of organizations, with consequences including increasing workloads, unfilled open job vacancies and an inability to learn or use cybersecurity technologies to their full potential.
Of the cybersecurity professionals surveyed 68 percent say they don't have a well-defined career path. When asked which was most important for their career development 52 percent chose hands-on experience while 44 percent claim that hands-on experience and certifications are equally important.
"As this and past reports clearly indicate, key constituents are not looking at the profession strategically," says Jon Oltsik, senior principal analyst and ESG Fellow. "While we are making some fragmented progress, the same issues present themselves year after year, including a shortage of skills, under-trained employees, and the stress and strain caused by a career in the cybersecurity field. These disturbing trends should be of concern to corporate directors and business executives, particularly in light of the alarming findings this year that 67 percent of respondents believe that cyber-adversaries have a big advantage over cyber-defenders."
The length of time it takes to gain sufficient skills in cybersecurity is a factor with 39 percent believing it takes anywhere from three to five years to develop real cybersecurity proficiency, while 22 percent say two to three years and 18 percent claim it takes more than five years. For employers this means that entry level cybersecurity pros should be viewed as long-term investments, not immediate problem solvers.
Organizations should provide a bit more cybersecurity training according to 36 percent of respondents, while 29 percent believe their organizations should provide significantly more training.
"The cybersecurity gap cannot be addressed by simply filling the pipeline with new people. What's needed is a holistic approach, starting with public education, comprehensive career development and planning, and career mapping -- all with the support and integration with the business," says Candy Alexander, board president of ISSA International.
The full report is available from the ISSA site.