At the end of each year, ESG (Enterprise Strategy Group) conducts a wide-ranging global survey of IT professionals, on challenges, purchasing plans, strategies, etc. In 2018-2019, cybersecurity skills topped the list. On being asked to identify areas where their organization has a problematic shortage of skills, 53 percent – more than half of respondent organizations report a “problematic shortage” of cyber security skills. This seems to be a problem with no solution in sight. IT architecture/planning skills came in second at 38 percent.
But this is not a new challenge. What is actually worrisome is that cybersecurity skills deficit has held the top position in ESG’s annual survey every year. Furthermore, the percentage of organizations reporting a problematic shortage of cybersecurity skills continues to increase.
In 2015-16, 42 percent of organisations reported this shortage, and the number went up to 45% the very next year. In 2017-18, it stood at 51percent, and the latest survey has put the number of organisations that identify a shortage of cybersecurity skills as the top concern, stands at 53 percent.
Despite a number of valuable industry and academic programs in place to address this issue, research from ESG and others indicates that the cybersecurity skills shortage is getting incrementally worse each year.
Analysts point out some solutions:
Considering it a national emergency, real leadership of nations needs to take up this challenge by various means. Some could be scholarship funding, a national awareness campaign, and departmental programs driven by the departments of commerce, education, energy, homeland security, and justice. It would also be worthwhile to identify a highly visible cybersecurity evangelist who can be responsible for establishing metrics, driving programs, and reporting back to the nation on progress. Since there is no national agenda, the states should step up and create at least a state-wide strategy.
Another solution could be a more thorough public/private partnership. A more focused effort on working with the cybersecurity technology community is needed. Of course, an integrated industry effort would be a smart solution as well. Established cybersecurity and technology vendors such as Amazon, Check Point, Cisco, Dell, Facebook, Google, HP, IBM, McAfee, Microsoft, Oracle, Palo Alto Networks, Symantec, and Trend Micro should pool their resources and talent, to create strategies and programs for cybersecurity training. An industry-wide organization would have tremendous visibility and power to get the job done.
But in the meantime, CISOs and their security managers must take the cybersecurity skills shortage into account, strive for continuous training of their cybersecurity staff and encourage cybersecurity personnel to participate in professional organizations, such as ISSA, while investing in new security technologies built for automation, integration, and streamlined operations. In addition to this, CISOs must take a portfolio management approach to cybersecurity workloads and be open to outsourcing tasks to service providers when necessary.