The cybersecurity skills shortage: A CISO perspective

Each year, Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) collaborate on a research project resulting in a report titled, The Life and Times of Cybersecurity Professionals. As part of this project, respondents are asked a series of questions about the global cybersecurity skills shortage.

According to the panel, the cybersecurity skills shortage is all too real and quite impactful. In 2023, 71% of respondents said their organization had been impacted by the cybersecurity skills shortage. (Author’s note: The 2024 research project is well underway, and results will be presented at the RSA Conference while this year’s eBook will be published soon afterward).

Of course, these results were no surprise. ESG and ISSA have been conducting this research project for eight years. Every year we ask this same question, and every year 60% to 75% of organizations claim they are impacted by the skills shortage. These results are similar to other research studies, such as the Cybersecurity Workforce Study from ISC2.

Based on this data, it’s safe to assume that the general population of IT and cybersecurity personnel believe the security skills shortage is real, persistent, and impactful. Okay, but what do CISOs think? After all, they lead cybersecurity departments and own security programs at organizations throughout the world. Given this fact, they should have a bird’s-eye view of the situation and whether it is really altering their organizations.

Almost one-third of CISOs say they’re significantly impacted

Predictably, the ESG/ISSA data indicates that CISOs are, in fact, directly affected by the skills shortage condition. For example, nearly one-third (32%) say the cybersecurity skills shortage has had a significant impact on their organization, compared to 26% of all other respondents.

Just what has the skills shortage wrought? Like other cybersecurity pros, CISOs say that the skills shortage has increased workloads, driven higher rates of employee burnout, and led to jobs remaining open for weeks or months. Aside from these common responses, however, CISOs had some specific opinions on the skills shortage impact.

For example, nearly one-third (32%) of CISOs said the skills shortage led to an increase in human errors associated with cybersecurity tasks compared to 16% of other respondents. This may be a function of their wide purview, where CISOs see human error issues across the entire organization, compared to managers or staff who may be more heads down on their individual jobs.

Additionally, 38% of CISOs claimed that the skills shortage led to less collaboration between cybersecurity and business teams (compared to 26% of other respondents). This is likely a red flag issue with security executives as aligning security with business priorities is at the heart of a CISO’s job responsibilities.

Lastly, 43% of CISOs say that the skills shortage led to hiring/training junior candidates rather than experienced candidates (compared to 28% of other respondents). Thus, CISOs are being forced to make suboptimal hiring and investment decisions that certainly impact overall team efficacy and efficiency.

What are the factors contributing to skills shortages?

In another survey question, respondents were asked to identify the factors contributing to the skills shortage at their organization. Once again, CISO responses stood out from the crowd. Sixty-eight percent of CISOs said that their organization simply doesn’t offer competitive compensation, making it difficult to recruit and hire talent (compared to 42% of other respondents).

This must be incredibly frustrating, causing proactive CISOs to sound alarm bells with the board of directors. Additionally, 41% of CISOs claimed that their organization doesn’t have a reputation as a cybersecurity leader, making it difficult to recruit and hire (compared to 25% of other respondents).

CISOs in this situation must double down on job-related things cybersecurity pros look for, such as mentoring programs, continual training opportunities, and career development.

Finally, respondents were asked whether they believed their organizations were doing enough to address the cybersecurity skills shortage. Just under one-third (32%) of CISOs answered yes (compared to 26% of other respondents), but alarmingly, 41% of CISOs said their organization could be doing much more (compared to 35% of other respondents).

What can CISOs do?

What’s a CISO to do? While they can’t clone experienced cybersecurity pros for their staff, there are some best practices I’ve heard when speaking with dozens of security executives. These include:

Focusing on employee retention. Experienced cybersecurity professionals are poached daily, enticed with higher compensation and better working situations. Successful CISOs keep an eye on employee satisfaction and make sure to help staff manage stress levels. Active CISOs also open avenues for staff to grow their skill sets and career opportunities.

Acting as a cheerleader to executives and boards. There’s no reason why cybersecurity staff should be underpaid or underappreciated. Proactive CISOs educate the brass on competitive salary comparisons and risks/costs associated with understaffed teams and employee attrition. When it comes to cybersecurity staffing, executives must understand the foolishness of tripping over dollars to pick up pennies.

Working with IT on end-to-end process automation. How do you bolster staff efficiency without adding more bodies? Automate any process that can be automated. Automating security operations processes is a good start, but advanced organizations move beyond security alone and think about process automation across lifecycles that span security, IT operations, and software development. Examples could include finding/patching software vulnerabilities, segmenting networks, or DevSecOps programs.

Getting help. As part of their security program planning, CISOs must build in assumptions around the impact of the cybersecurity skills shortage on goals and objectives. This means that CISOs need to create an open cybersecurity model where managed service providers can seamlessly integrate with existing controls, established processes, and skill set strengths and deficits.