We’ve been hearing a lot about the cyber security skills shortage for several years now, and a recent study documents just how severe the shortage is and the impact it is having on many organizations.
The State Of Cybersecurity 2019 report by ISACA, a global association helping individuals and enterprises achieve the positive potential of technology, said retaining qualified cyber security professionals is increasingly challenging for organizations. They are struggling to keep their security workforce staffed as competitors increasingly lure away employees who are enticed by higher pay and bonuses.
As part of its research, ISACA in November 2018 surveyed more than 1,500 cyber security professionals worldwide who hold the organization’s Certified Information Security Manager (CISM) and/or CSX Cybersecurity Practitioner (CSXP) designations, and a majority of the respondents (69%) said their cyber security teams are understaffed.
The short supply of qualified security professionals has led to unfilled positions and a widening work skills gap, the report said. More than half of the respondents (58%) said their organizations have unfilled cyber security positions. The number of organizations languishing at least six months before they are able to fill open cyber security positions is on the rise, from 26% in 2017 to 32% in 2018.
One of the reasons why cyber security roles remain unfilled for many months is the lack of qualified professionals applying to open positions. Nearly 60% of the survey respondents indicated that only 50% or less of the applicants applying to open cyber security positions are qualified. And 29% said less than one quarter of applicants have the sufficient qualifications to be considered for open cyber security positions.
Compared with data from the previous year’s survey, these findings are basically unchanged and indicate a static state of struggle to attract qualified applicants, the report said. A majority of respondents said most vacancies are in technical cyber security positions.
On the other hand, few cyber security executive or C-suite positions are unfilled, with 72% of respondents indicating their organizations have no executive position openings.
Three quarters of the respondents expect an increase in hiring demand for technical professionals, with no specific role or level experiencing a noteworthy decline in demand. This is relatively inline with the results from last year’s survey.
The survey showed that retaining cyber security professionals is exceptionally difficult, even when companies offer enticements such as training and certification. While 57% of respondents said their organizations offer increased training as incentives to keep people within the organization, 82% indicated that most individuals leave their companies for others because of financial and career incentives such as higher salaries, bonuses, and promotions.
Incentives such as training are not necessarily what cyber security professionals need to advance in their careers, the study noted. It’s more important that they gain business acumen, because many organizations want people who understand business operations and how cyber security fits into the greater needs of the organization.
Somewhat surprising given the recent push to attract more female workers to the security profession, the report noted that gender diversity programs are declining and are perceived as less effective than in the past.
Only 45% of the survey’s female respondents think both men and women have equal opportunity for career advancement. This represents a downward trend from 51% the previous year. The survey also found that less than half of cyber security organizations have a gender diversity program.
“Attempts to diversify the workforce and create gender inclusion are either not happening enough or are failing to meet employee expectations,” said Rob Clyde, board chair of ISACA. “Respondents do not believe their organizations prioritize increasing the number of women in cyber security roles or advancing them within the organization.”
Another key finding is that cyber security budget increases are expected to slow slightly. While most of the survey respondents still expect an increase in their cyber security budget, they are not expecting as much of a rise as in the previous year.
More than half (55%) report that they expect an increase in cyber security budgets, a decline from the previous year’s 64%. When asked about funding, 60% indicated that they consider their cyber security budget to be underfunded, with nearly 20% saying their budgets are significantly underfunded.
Regardless of funding, clearly organizations need to step up their efforts to find talent.
“We’re in a highly fluid environment where organizations are increasingly challenged by competitive forces,” Clyde said. “Creative and competitive retention efforts are more important than ever in the current environment, and organizations should make it a priority to identify ways to boost their cyber security teams.”