Cybersecurity pros battle discontent amid skills shortage

The cybersecurity skills crisis continues in a multi-year freefall that has impacted 71% of organizations and left two-thirds of cybersecurity professionals stating that the job has become more difficult over the past two years—while 60% of organizations continue to deflect responsibility, according to a new report from ESG and ISSA.

A career in cybersecurity is becoming more difficult in an increasingly challenging environment

66% of respondents believe that working as a cybersecurity professional has become more difficult over the past 2 years, with 27% stating it is much more difficult. Internal issues like workload complexity, staffing shortages, and budget deficits combined with external issues like the dangerous threat landscape and regulatory compliance challenges have made this profession progressively more difficult.

81% of respondents cite the increased cybersecurity complexity and workload as why their careers are more difficult now. 59% point to the increase in cyberattacks due to an expanding attack surface, and 46% state that their cybersecurity team is understaffed.

43% agree that budget pressures and regulatory compliance complexity have increased and present further challenges. 8% of cybersecurity professionals have experienced one or several disruptive security events at their organization that have made their work more difficult.

Most cybersecurity professionals aren’t very satisfied with their career choices

Cybersecurity professionals face daily job stress like an overwhelming workload, working with disinterested business managers, falling behind business initiatives, and keeping up with the security needs of new IT projects. Little wonder then why less than half of security pros are very satisfied with their current jobs, and 50% of security pros claim it is very likely, likely, or somewhat likely they will leave their current job this year.

The global cybersecurity skills shortage continues unabated

71% of organizations report that the cybersecurity skills shortage has impacted them—a dramatic increase from 57% in the last study, leading to an increased workload for the cybersecurity team (61%), unfilled open job requisitions (49%), and high burnout among staff (43%), according to respondents.

Further, 95% of respondents state the cybersecurity skills shortage and its associated impacts have not improved over the past few years, and 54% (up 10% from 2021) say it has only gotten worse. Respondents pointed to application security, cloud security, and security analysis and investigations when asked to identify areas where the security skills shortage is most acute.

60% of respondents believe that their organization could be doing more to mitigate the cyber skills shortage, with 36% stating that they could do much more. Respondents say that their organizations could increase security professional compensation, provide advanced non-monetary incentives, educate HR professionals and recruiters, and increase their commitment to cybersecurity training to address the ongoing skills shortage better.

CISOs must lead the charge

When asked to identify the qualities that make CISOs successful, 71% pointed toward leadership or communications skills. CISO effectiveness varies – 31% of respondents claim their CISO is very effective, 40% believe their CISO is effective, and 26% say their CISO is somewhat effective.

Survey respondents were also asked how their organizations could improve their cybersecurity programs. The top responses included increasing cybersecurity training for IT and security professionals, improving the organization’s cybersecurity culture, hiring more staff, increasing the cybersecurity budget, and improving basic security hygiene and posture management.

“For a majority of organizations, cybersecurity continues to be treated as a cost center or compliance mandate versus a business enabler or growth driver,” said Candy Alexander, Board President, ISSA International. “Cybersecurity professionals are charged with protecting the organization while being overworked, overstressed, and understaffed. There was a point in time where organizations could get away with doing ‘good enough security,’ but those days are gone. Relentless, AI-fueled cyberattacks and expanding attack surfaces are a sampling of new problems that are going to overwhelm and overrun underinvested cybersecurity programs. Executive management needs to recognize that their business goals are only possible if cybersecurity successfully enables their business to operate in today’s threat environment day after day.”