|
Research Findings
The Basic Facts
|
Die grundlegenden Fakten
|
As in past years, ESG and ISSA got some baseline information regarding cybersecurity professionals’ careers. For example:
|
Wie in den vergangenen Jahren erhielten die ESG und die IVSS einige grundlegende Informationen zur Karriere von Cybersicherheitsexperten. Zum Beispiel:
|
79% of cybersecurity professionals started their careers working in IT.
|
79% der Cybersicherheitsexperten begannen ihre Karriere in der IT.
|
When asked which skills were most helpful in the move from IT to cybersecurity, the top responses were IT operations knowledge and skills (61%), analytics skills (53%), hands-on technology knowledge and skills (48%), and business skills (as they relate to IT technologies and processes) (42%).
|
Auf die Frage, welche Fähigkeiten beim Übergang von der IT zur Cybersicherheit am hilfreichsten waren, waren die wichtigsten Antworten Kenntnisse und Fähigkeiten im IT-Betrieb (61%), Analysekenntnisse (53%), praktische Technologiekenntnisse und -fähigkeiten (48%) und unternehmerische Fähigkeiten (in Bezug auf IT-Technologien und -Prozesse) (42%).
|
When asked the reasons for becoming a cybersecurity professional, the top responses were the chance to use skills and curiosity to address technical challenges (43%), the opportunity to develop technical skills and knowledge (40%), it being a natural career move from IT (34%), and attraction to the morality of the profession (29%).
|
Auf die Frage nach den Gründen, warum Sie ein Experte für Cybersicherheit werden sollten, waren die wichtigsten Antworten die Möglichkeit, Fähigkeiten und Neugier einzusetzen, um technische Herausforderungen zu bewältigen (43%), die Möglichkeit, technische Fähigkeiten und Wissen zu entwickeln (40%), was ein natürlicher Karriereschritt von der IT war (34%) und Anziehungskraft auf die Moral von der Beruf (29%).
|
28% of survey respondents say that either they or other cybersecurity professionals they know have experienced significant personal issues because of stress associated with the cybersecurity profession (i.e., drug abuse, alcohol abuse, depression, etc.).
|
28% der Befragten geben an, dass entweder sie oder andere Cybersicherheitsexperten, die sie kennen, aufgrund von Stress im Zusammenhang mit dem Beruf der Cybersicherheit (z. B. Drogenmissbrauch, Alkoholmissbrauch, Depressionen usw.) erhebliche persönliche Probleme hatten.
|
50% of cybersecurity professionals surveyed say that job stress levels increased this past year as a result of remote worker support due to the COVID-19 pandemic. To help alleviate stresses caused by the pandemic, 36% of organizations instituted more CISO “check-ins” with staff, 32% created online social meetings for the cybersecurity team, and 24% added formal stress management programs driven by HR.
|
50% der befragten Cybersicherheitsexperten geben an, dass der Stress am Arbeitsplatz im vergangenen Jahr aufgrund der Unterstützung von Remote-Mitarbeitern aufgrund der COVID-19-Pandemie gestiegen ist. Um den durch die Pandemie verursachten Stress abzubauen, führten 36% der Organisationen mehr CISO-Check-Ins mit Mitarbeitern ein, 32% erstellten soziale Online-Meetings für das Cybersicherheitsteam und 24% fügten formelle Stressmanagementprogramme hinzu, die von der Personalabteilung geleitet wurden.
|
Survey respondents were also asked whether their organization employed a CISO. Those that did were asked several other related questions. On this topic, the research revealed:
|
Die Umfrageteilnehmer wurden auch gefragt, ob ihre Organisation einen CISO beschäftigte. Diejenigen, die dies taten, wurden mehrere andere verwandte Fragen gestellt. Zu diesem Thema ergab die Studie:
|
73% of survey respondents say that their organization employs a CISO while 5% say their organization employs a virtual CISO (vCISO).
|
73% der Befragten geben an, dass ihr Unternehmen einen CISO beschäftigt, während 5% angeben, dass ihr Unternehmen einen virtuellen CISO (vCISO) einsetzt.
|
Of those organizations that employ a CISO, 43% say that the CISO reports to the CIO, 29% say the CISO reports to the CEO, 9% say COO, 9% say “other,” and 10% don’t know.
|
Von den Organisationen, die einen CISO beschäftigen, geben 43% an, dass der CISO dem CIO Bericht erstattet, 29% geben an, dass der CISO dem CEO berichtet, 9% geben an, dass der CISO dem CEO berichtet, 9% sagen „andere“ und 10% wissen es nicht.
|
61% of respondents say their CISO is an active participant with executive management and the board of directors (or similar oversight group), 14% say their CISO is not an active participant with executive management and the board of directors (or similar oversight group), and 24% don’t know. 51% think their organization’s CISO’s level of participation with executive management and the board of directors is adequate, 23% do not think their organization’s CISO’s level of participation with executive management and the board of directors is adequate, and 26% don’t know.
|
61% der Befragten geben an, dass ihr CISO ein aktiver Teilnehmer der Geschäftsleitung und des Verwaltungsrats (oder einer ähnlichen Aufsichtsgruppe) ist, 14% geben an, dass ihr CISO kein aktiver Teilnehmer der Geschäftsleitung und des Verwaltungsrats (oder einer ähnlichen Aufsichtsgruppe) ist, und 24% wissen es nicht. 51% glauben, dass ihre Die Beteiligung des CISO der Organisation an der Geschäftsleitung und dem Verwaltungsrat ist angemessen. 23% glauben nicht, dass die Beteiligung des CISO ihrer Organisation an der Geschäftsleitung und dem Verwaltungsrat angemessen ist, und 26% wissen es nicht.
|
43% believe their CISO has been very effective, 49% believe their CISO has been somewhat effective, 6% say their CISO hasn’t been very effective, and 2% claim their CISO has not been effective at all.
|
43% glauben, dass ihr CISO sehr effektiv war, 49% glauben, dass ihr CISO etwas effektiv war, 6% geben an, dass ihr CISO nicht sehr effektiv war, und 2% geben an, dass ihr CISO überhaupt nicht wirksam war.
|
When asked to identify the most important qualities of a successful CISO, 39% said leadership skills while 30% said operational skills. The remaining 31% included business skills, technical skills, management skills, communications skills, and other.
|
Auf die Frage, die wichtigsten Eigenschaften eines erfolgreichen CISO zu ermitteln, gaben 39% Führungsqualitäten an, während 30% die operativen Fähigkeiten angaben. Die restlichen 31% umfassten unternehmerische Fähigkeiten, technische Fähigkeiten, Managementfähigkeiten, Kommunikationsfähigkeiten und andere.
|
Survey respondents were asked which factors are likeliest to cause CISOs to leave one organization for another. The most popular answers were: CISOs are offered a higher compensation package at another organization (33%), the organization doesn’t have a culture that emphasizes cybersecurity (31%), and cybersecurity budgets are not commensurate with the organization’s size and industry (29%).
|
Die Umfrageteilnehmer wurden gefragt, welche Faktoren CISOs am wahrscheinlichsten dazu veranlassen, eine Organisation für eine andere zu verlassen. Die beliebtesten Antworten lauteten: CISOs wird in einer anderen Organisation ein höheres Vergütungspaket angeboten (33%), die Organisation hat keine Kultur, die Cybersicherheit betont (31%), und die Budgets für Cybersicherheit entsprechen nicht der Größe und Branche des Unternehmens (29%).
|
Getting a Cybersecurity Job
|
Einen Job im Bereich Cybersicherheit bekommen
|
For the first time, ESG and ISSA asked cybersecurity professionals how they found their current job (see Figure 1). The highest percentage (38%) say that they found their job by networking with industry contacts while 24% were contacted by an industry recruiter and 22% responded to a job posting at their company (see Figure 1). Not surprisingly, there is a slight correlation between methods used for finding a job and seniority. Senior cybersecurity professionals are more likely to find their jobs through industry contacts and recruiters while those with less experience are more likely to use job postings. This information should help guide CISOs and HR professionals as they compete to fill job requisitions.
|
Zum ersten Mal befragten ESG und ISSA Cybersicherheitsexperten, wie sie ihren aktuellen Arbeitsplatz gefunden haben (siehe Abbildung 1). Der höchste Prozentsatz (38%) gibt an, dass sie ihren Job durch Netzwerke mit Branchenkontakten gefunden haben, während 24% von einem Branchenvermittler kontaktiert wurden und 22% auf eine Stellenausschreibung in ihrem Unternehmen reagierten (siehe Abbildung 1). Es überrascht nicht, dass eine leichte Korrelation zwischen den Methoden zur Arbeitssuche und dem Dienstalter besteht. Hochrangige Cybersicherheitsexperten finden ihre Stelle eher über Branchenkontakte und Personalvermittler, während Personen mit weniger Erfahrung eher Stellenausschreibungen nutzen. Diese Informationen sollen CISOs und Personalfachleuten helfen, im Wettbewerb um die Erfüllung von Stellenanforderungen zu konkurrieren.
|
Despite the ongoing cybersecurity skills shortage, skilled candidates often complain that it can be very difficult to begin a cybersecurity career. When meeting entry-level candidates, ESG analysts and ISSA members are often asked for advice in this area. In 2021, ESG and ISSA addressed this issue directly by including a new survey question asking survey respondents for their recommendations for those seeking to enter the cybersecurity field. Nearly half (49%) of respondents suggested getting a basic cybersecurity certification, 42% proposed joining a professional industry organization, and 36% recommended finding a mentor who is willing to help develop skills and career plan (see Figure 2). This guidance will hopefully help entry-level candidates jumpstart their careers.
|
Trotz des anhaltenden Fachkräftemangels in der Cybersicherheit beschweren sich qualifizierte Kandidaten häufig darüber, dass es sehr schwierig sein kann, eine Karriere im Bereich Cybersicherheit zu beginnen. Bei Treffen mit Einstiegskandidaten werden ESG-Analysten und IVSS-Mitglieder häufig um Rat in diesem Bereich gebeten. Im Jahr 2021 haben die ESG und die IVSS dieses Problem direkt angesprochen, indem sie eine neue Umfragefrage einschlossen, in der die Umfrageteilnehmer nach ihren Empfehlungen für diejenigen gefragt wurden, die in den Bereich Cybersicherheit eintreten Fast die Hälfte (49%) der Befragten gab an, eine grundlegende Cybersicherheitszertifizierung zu erhalten, 42% gaben an, einer professionellen Branchenorganisation beizutreten, und 36% empfahlen, einen Mentor zu finden, der bereit ist, bei der Entwicklung von Fähigkeiten und Karriereplänen zu helfen (siehe Abbildung 2). Diese Anleitung wird Einstiegskandidaten hoffentlich dabei helfen, ihre Karriere voranzutreiben.
|
Cybersecurity Careers Depend upon Hands-on Experience and Some Certifications
|
Karrieren im Bereich Cybersicherheit hängen von praktischer Erfahrung und einigen Zertifizierungen ab
|
Cybersecurity is highlighted by a plethora of esoteric technical certifications, so ESG and ISSA have continually asked survey respondents to tell us which certifications they’ve achieved, and which are most important. As in past years, survey respondents were asked to write in the answer to this question, and the top responses are listed in Figure 3. Of those certifications achieved, the most useful ones for getting a job are graphed in Figure 4 . In both graphics, the certified information systems security professional (CISSP) from (ISC)2 stands out—it’s the most popular certification and the one that’s most important for getting a cybersecurity job. Other certifications may be important tactically but should be viewed as vehicles for career advancement (in some cases) or to help cybersecurity professionals gain general knowledge in a cybersecurity subdiscipline (for example, certified ethical hacker).
|
Cybersicherheit wird durch eine Vielzahl esoterischer technischer Zertifizierungen hervorgehoben, weshalb ESG und ISSA die Umfrageteilnehmer ständig gebeten haben, uns mitzuteilen, welche Zertifizierungen sie erhalten haben und welche am wichtigsten sind. Wie in den vergangenen Jahren wurden die Umfrageteilnehmer gebeten, in die Antwort auf diese Frage einzuschreiben, und die wichtigsten Antworten sind in Abbildung 3 aufgeführt. Von diesen erreichten Zertifizierungen sind die nützlichsten Zertifizierungen für die Erlangung eines Jobs in Abbildung 4 dargestellt. In beiden Grafiken sticht der Certified Information Systems Security Professional (CISSP) von (ISC) 2 hervor - es ist die beliebteste und wichtigste Zertifizierung für einen Job im Bereich Cybersicherheit. Andere Zertifizierungen können taktisch wichtig sein, sollten jedoch als Mittel für den beruflichen Aufstieg (in einigen Fällen) oder als Unterstützung für Cybersicherheitsexperten angesehen werden, um allgemeines Wissen in einer Subdisziplin der Cybersicherheit zu erwerben (z. B. zertifizierter ethischer Hacker).
|
Cybersecurity professionals pursue a CISSP certification after accruing the requisite number of years of experience as this certification is a requirement for most available jobs. Beyond the CISSP, however, survey respondents take a more tactical approach to additional certifications based upon their skills, interests, and career plans. ESG and ISSA believe this is the right approach for certifications and career development. Rather than fill their resumes with acronyms, cybersecurity professionals should focus on hands-on training, mentoring, and professional networking as primary means for skills development. Rather, certifications should supplement these activities.
|
Cybersicherheitsexperten streben eine CISSP-Zertifizierung an, nachdem sie die erforderliche Anzahl von Jahren an Erfahrung gesammelt haben, da diese Zertifizierung für die meisten verfügbaren Stellen erforderlich ist. Über das CISSP hinaus verfolgen die Umfrageteilnehmer jedoch einen taktischeren Ansatz für zusätzliche Zertifizierungen, die auf ihren Fähigkeiten, Interessen und Karriereplänen basieren. Die ESG und die IVSS glauben, dass dies der richtige Ansatz für Zertifizierungen und Karriereentwicklung ist. Anstatt ihre Lebensläufe mit Akronymen zu füllen, sollten sich Cybersicherheitsexperten auf praktische Schulungen, Mentoring und professionelles Networking als primäres Mittel zur Entwicklung von Fähigkeiten konzentrieren. Vielmehr sollten Zertifizierungen diese Aktivitäten ergänzen.
|
ESG and ISSA have long held the belief that hands-on experience is the most important factor in cybersecurity career development, but this assumption was based on anecdotal data. In 2021, ESG and ISSA tested the hypothesis in the survey.
|
ESG und ISSA sind seit langem der Überzeugung, dass praktische Erfahrung der wichtigste Faktor bei der Karriereentwicklung im Bereich der Cybersicherheit ist, aber diese Annahme basierte auf anekdotischen Daten. Im Jahr 2021 testeten die ESG und die IVSS die Hypothese in der Umfrage.
|
The data supports this long-held belief again. Only 1% of respondents believe security certifications are more important than hands-on experience. Alternatively, 52% believe that hands-on experience is more important than certifications while 46% place equal value on hands-on experience and certification achievement (see Figure 5). Based on the research, ESG and ISSA believe that those who believe that hands-on experience and achieving security certifications are equally important have the CISSP certification in mind, as this is considered a foundational requirement for a cybersecurity career.
|
Die Daten stützen erneut diese seit langem bestehende Überzeugung. Nur 1% der Befragten glauben, dass Sicherheitszertifizierungen wichtiger sind als praktische Erfahrung. Alternativ glauben 52 Prozent, dass praktische Erfahrung wichtiger ist als Zertifizierungen, während 46% den gleichen Wert auf praktische Erfahrung und Zertifizierungsleistung legen (siehe Abbildung 5). Auf der Grundlage der Studie sind ESG und ISSA der Ansicht, dass diejenigen, die glauben, dass praktische Erfahrung und das Erlangen von Sicherheitszertifizierungen ebenso wichtig sind, die CISSP-Zertifizierung im Hinterkopf haben, da dies als Grundvoraussetzung für eine Karriere im Bereich Cybersicherheit angesehen wird.
|
Based upon this data, aspiring and advancing cybersecurity professionals should take a balanced approach to skills development. As previously stated, hands-on experience should be supplemented with the appropriate security certifications on an as-needed basis.
|
Auf der Grundlage dieser Daten sollten angehende und weitergehende Cybersicherheitsexperten einen ausgewogenen Ansatz bei der Entwicklung von Fähigkeiten verfolgen. Wie bereits erwähnt, sollte die praktische Erfahrung bei Bedarf durch die entsprechenden Sicherheitszertifizierungen ergänzt werden.
|
Cybersecurity Professionals: A 360 Degree View
|
Experten für Cybersicherheit: Eine 360-Grad-Ansicht
|
What are the most important factors that distinguish a satisfactory and unsatisfactory cybersecurity job? This question has been a constant in the ESG/ISSA research study for five years. Interestingly, the results have been fairly consistent. The top three priorities in 2021 are business management’s commitment to strong cybersecurity, competitive or industry-leading financial compensation, and the ability to work with highly skilled and talented cybersecurity staff (see Figure 6).
|
Was sind die wichtigsten Faktoren, die eine zufriedenstellende und unbefriedigende Aufgabe im Bereich Cybersicherheit auszeichnen? Diese Frage ist in der ESG/IVSS-Forschungsstudie seit fünf Jahren eine feste Größe. Interessanterweise waren die Ergebnisse ziemlich konsistent. Die drei wichtigsten Prioritäten im Jahr 2021 sind das Engagement der Unternehmensleitung für starke Cybersicherheit, wettbewerbsfähige oder branchenführende finanzielle Vergütung und die Fähigkeit, mit hochqualifizierten und talentierten Mitarbeitern der Cybersicherheit zusammenzuarbeiten (siehe Abbildung 6).
|
CISOs and HR executives take note, as this data represents what it will take to hire and retain cybersecurity professionals.
|
CISOs und Personalchefs nehmen zur Kenntnis, da diese Daten darstellen, was erforderlich ist, um Cybersicherheitsexperten einzustellen und zu halten.
|
With job satisfaction in mind, ESG and ISSA also wanted insight into the most stressful aspects of a cybersecurity job. Nearly two-thirds (32%) of survey respondents claim it is finding out about IT/initiatives/projects that were started by other teams (within the organization) with no security oversight (see Figure 7). This makes sense. Security professionals want to be engaged in projects from the start so they can “bake in” rather than “bolt on” security. Similarly, nearly one-third (31%) of respondents believe it is stressful working with disinterested business managers while another 31% point to the overwhelming workload. Similar to the top response, 24% of security professionals believe it is stressful keeping up with the security needs of new IT initiatives. Clearly, cybersecurity professionals want to be involved in projects from the start and want to see cybersecurity commitment from business and IT associates. When these conditions are absent, organizations will likely face high employee burnout and staff attrition.
|
Mit Blick auf die Arbeitszufriedenheit wollten ESG und die IVSS auch Einblicke in die stressigsten Aspekte eines Jobs im Bereich Cybersicherheit. Fast zwei Drittel (32%) der Umfrageteilnehmer geben an, etwas über IT/Initiativen/Projekte zu erfahren, die von anderen Teams (innerhalb der Organisation) ohne Sicherheitsaufsicht gestartet wurden (siehe Abbildung 7). Das ist sinnvoll. Sicherheitsexperten möchten von Anfang an an Projekten beteiligt sein, damit sie die Sicherheit „einbacken“ können, anstatt sie „anzukurbeln“. In ähnlicher Weise halten fast ein Drittel (31%) der Befragten die Arbeit mit desinteressierten Geschäftsführern für stressig, während weitere 31% auf die überwältigende Arbeitsbelastung hinweisen. Ähnlich wie bei den Top-Antworten halten 24% der Sicherheitsexperten es für stressig, mit den Sicherheitsanforderungen neuer IT-Initiativen Schritt zu halten. Natürlich möchten Cybersicherheitsexperten von Anfang an in Projekte einbezogen werden und möchten, dass Unternehmen und IT-Mitarbeiter sich für Cybersicherheit engagieren. Wenn diese Bedingungen nicht vorliegen, werden Unternehmen wahrscheinlich mit einem hohen Burnout der Mitarbeiter und einer Abwanderung von Mitarbeitern konfrontiert sein.
|
As in the past, security professionals were asked their opinions on several topics (see Figure 8). A few stats stand out:
|
Wie in der Vergangenheit wurden Sicherheitsexperten zu verschiedenen Themen nach ihrer Meinung gefragt (siehe Abbildung 8). Ein paar Statistiken fallen auf:
|
Conflict between the need for training and time allocated to training remains a critical issue: 91% of respondents agree that cybersecurity professionals must keep up with their skills or their organizations are at a significant disadvantage, yet 59% agree that while they try to keep up on cybersecurity skills, it is hard to do given the demands of their jobs. ESG and ISSA call this situation the cybersecurity training paradox. CISOs take note and make sure to convince the organization that ample training time and resources are an absolute requirement.
|
Der Konflikt zwischen dem Schulungsbedarf und der für die Schulung aufgewendeten Zeit bleibt ein kritisches Problem: 91% der Befragten stimmen zu, dass Cybersicherheitsexperten mit ihren Fähigkeiten Schritt halten müssen oder dass ihre Unternehmen erheblich benachteiligt sind. 59% stimmen jedoch zu, dass sie versuchen, ihre Fähigkeiten im Bereich Cybersicherheit aufrechtzuerhalten, Angesichts der Anforderungen ihrer Arbeit ist es schwierig zu tun. Die ESG und die IVSS bezeichnen diese Situation als Paradox im Bereich der Cybersicherheit. CISOs nehmen zur Kenntnis und überzeugen die Organisation davon, dass ausreichend Schulungszeit und Ressourcen eine absolute Voraussetzung sind.
|
Cybersecurity professionals tend to pride themselves on their endurance and competitiveness, masking the personal price these jobs can have. The research supports this as 60% agree that a cybersecurity career can be taxing on one’s work/life balance, and 38% agree that they often feel an unhealthy level of stress with their jobs. Accordingly, CISOs should constantly monitor the mental health of team members while establishing programs for stress relief.
|
|
58% of survey respondents agree that security professionals spend too much time on the technical aspects of cybersecurity and not enough time on how cybersecurity aligns with the corporate mission. ESG and ISSA believe this is a fundamental industry dilemma, sometimes called the “shiny object problem.” To address this, CISOs must always reinforce the business focus of cybersecurity within the security team.
|
|
Interestingly, despite the personal challenges represented in this data, 79% of cybersecurity professionals agree that they are happy as cybersecurity professionals. ESG and ISSA believe that this commitment to the mission regardless of the challenges is what makes cybersecurity professionals special. Rather than business or technical professionals, cybersecurity professionals behave like dedicated public servants, with a focus tilting toward the greater good rather than personal accolades.
|
|
In another opinion question, survey respondents were asked how long it takes a cybersecurity professional to become proficient at their job. The plurality of respondents (35%) believe it takes anywhere from 3 to 5 years to develop real cybersecurity proficiency, while 25% say 2 to 3 years and 17% claim it takes more than 5 years (see Figure 9). Three to 5 years is a long time. CISOs should do everything they can to accelerate staff skills development and retain employees with this level of experience.
|
|
It is often said that cybersecurity is a “team sport.” In other words, an organization’s cybersecurity program success goes beyond the information security team alone and depends upon commitment and cooperation across the entire organization. With this collaborative ideal in mind, survey respondents were asked to characterize the working relationship between their organization’s cybersecurity team and other departments (see Figure 10). The data indicates that the best relationships are with IT, executives, legal, and operations teams, but ESG and ISSA believe a few points are noteworthy:
|
|
16% of respondents said the relationship between security and IT teams is fair or poor. This is somewhat alarming since these teams must work together constantly on tasks like technology deployment, configuration management, and risk mitigation.
|
|
21% of respondents said the relationship between security and executives was fair or poor. Similarly, 27% said the relationship between security and the board of directors was fair or poor. These are likely organizations that still believe that security is related to technology and not the business. It’s likely that these firms still equate security with regulatory compliance.
|
|
29% of respondents said the relationship between security and HR was fair or poor. This is of concern since the two groups work together on projects like security awareness training, recruitment, and hiring. These tasks are probably managed sub-optimally at organizations with fair or poor security/HR working relationships.
|
|
What can organizations do to improve some of these relationships? Survey respondents were asked this question directly about the relationships between security, IT, and business management teams. With regard to improving the security/IT relationship, security professionals suggest making sure security staff is included in all IT projects from the beginning, embedding cybersecurity staff within functional technology groups, and increasing cybersecurity training for all IT staff (see Figure 11).
|
|
These suggestions are especially interesting. Recall that the most stressful aspect of a security job identified previously relates to IT projects/initiatives lacking security oversight. Alleviating this issue will not only decrease employee stress but also improve the working relationship between security and IT as well as overall security protection. Embedding cybersecurity staff members into functional technology groups is happening with activities such as DevSecOps focused on cloud-native application development. Along with additional security training (especially for software developers), organizations are fusing security into more aspects of IT people, processes, and technologies.
|
|
In terms of the relationship between security and business management, survey respondents suggest encouraging cybersecurity participation in business planning and strategy, improving cyber-risk identification/quantification, and focusing cybersecurity resources and investments on business-critical assets (see Figure 12). Like the IT relationship, cybersecurity pros believe that working closer and earlier with business teams can be beneficial. As this happens, security teams must be prepared with the right communications, reports, and metrics that present cybersecurity in a business context.
|
|
The Cybersecurity Skills Shortage Persists, and in Many Cases, Continues to Worsen
|
Translation in progress...
|
ESG and ISSA believe the cybersecurity skills shortage has two major implications. The most obvious is a shortage of talented cybersecurity professionals, with simply more cybersecurity job openings than qualified candidates to fill them. The other implication isn’t as widely discussed but is at least as important: Many members of the current cybersecurity workforce lack the advanced skills necessary to safeguard critical business assets or counteract sophisticated cyber-adversaries.
|
|
After researching the cybersecurity skills shortage for five years, ESG and ISSA are convinced that it is real and impactful, yet each report on the subject receives a fair amount of negative feedback, questioning its existence. Comments include theories that there are plenty of cybersecurity professionals to go around, if only organizations knew how and where to recruit them.
|
|
Based on this feedback, ESG and ISSA asked survey respondents a basic question in the 2021 survey: Has the cybersecurity skills shortage been overstated? As it turns out, one-third of respondents share the opinion that the skills shortage has been greatly or somewhat overstated, but the highest percentage of cybersecurity professionals (44%) believe it has received the right amount of attention, while 23% claim it has been understated (see Figure 13).
|
|
As further research clearly indicates, the cybersecurity skills shortage is real, leading to lots of problems for organizations. At the same time however, the research points to the fact that some organizations may be experiencing self-inflicted wounds and truly don’t recruit well, provide the right level of training, or address the skills shortage with the right strategies. In essence, both groups are right: The skills shortage is real, but organizations could and should be doing more.
|
|
As in past years, ESG and ISSA wanted to understand the implications of the global cybersecurity skills shortage and how it is affecting organizations. For the first time, the data improved slightly. This year, 57% of organizations claim they’ve been impacted by the cybersecurity skills shortage, compared to 70% in 2020 and 73% in 2019 (see Figure 14).
|
|
While this data point seems to represent an encouraging trend, additional data paints a different picture. Last year, ESG and ISSA added a question asking cybersecurity professionals whether they believe the cybersecurity skills shortage is improving or getting worse. This year’s results are distressing as 44% believe the cybersecurity skills shortage (and its impact) have gotten worse over the past few years while 51% say it’s about the same today as it was over the past few years (see Figure 15). Sadly, only 5% believe the situation has gotten better.
|
|
Based upon years of research, ESG and ISSA firmly believe that the cybersecurity skills shortage is a long-term reality where the industry has achieved little progress. While education and recruitment programs may be worthwhile, CISOs must craft enterprise security programs that accommodate and plan for perpetual skills shortages.
|
|
As in the past, survey respondents working at organizations impacted by the cybersecurity skills shortage were asked about the ramifications experienced (see Figure 16). Once again, the top response (62%) was that it has increased the workload on existing staff (similar to last year’s results, 58%). This is the biggest consequence of the skills shortage by far. Additionally, 38% of respondents indicated that the skills shortage has led to new security jobs remaining open for weeks or months (this may be one reason why 29% of organizations must hire and train junior employees rather than experienced candidates). Consistent with the mental health theme described previously, 38% of respondents said that the skills shortage has led to employee burnout and employee attrition.
|
|
It is also noteworthy that one-third of respondents say that the skills shortage has led to a situation where the cybersecurity team is unable to learn or utilize some security technologies to their full potential. Think about that for a moment: Organizations determine they need some new security technology for threat prevention, detection, or response. They go through the rigor of researching, purchasing, testing, configuring, deploying, and operating the product as well as training staff. After all this work, they still lack the staff or skills to operate the product correctly. Given this situation, CISOs must reassess their priorities, only purchasing technologies that can be used appropriately. In other cases, organizations should consider managed services as an alternative to underutilized security technologies.
|
|
For the first time, organizations claiming to be impacted by the cybersecurity skills shortage were asked to identify contributing factors. The three top responses included issues related to compensation, HR’s understanding of cybersecurity skills, and working in an industry that may be unattractive to cybersecurity professionals (see Figure 17). It is also worth noting that 25% pointed to unrealistic job postings (i.e., asking for skills that were not commensurate with compensation offered, real job requirements, etc.). To some extent, this data supports the theory that the cybersecurity skills shortage is related to mismanagement rather than a dearth of qualified candidates or advanced skills.
|
|
Compensation is a binary issue—either an organization offers competitive compensation, or it does not. The same could be said of an organization’s industry. If compensation or industry is unappealing, the hiring company is at a distinct disadvantage and will only be successful at recruiting if other job attributes are especially attractive (i.e., working hours, training opportunities, benefits, etc.). With regard to compensation, CISOs must lobby HR, finance, and other departments to offer competitive salaries, or they face a perpetual losing battle for staff recruitment and retention. As for other factors mentioned, CISOs must ensure that HR departments and recruiters are well versed in cybersecurity needs and put together accurate and realistic job postings as part of their recruitment process.
|
|
Additional data from this year’s survey results add further evidence to the extent of the cybersecurity skills shortage. According to Figure 18, when asked how difficult it is to recruit cybersecurity professionals, 76% of security professionals say it is either extremely (18%) or somewhat difficult (58%).
|
|
Survey respondents were asked to identify areas with the most acute skills shortages. Nearly four in ten (39%) cite cloud computing security, followed by nearly a third (30%) who identify application security and/or security analysis and investigations as areas of personnel deficiency (see Figure 19).
|
|
CISOs must understand the level of competition for candidates with these skill sets. It may be worthwhile to craft backup plans if recruitment efforts languish or fail completely. Examples include training software developers and DevOps personnel on application security, recruiting and training server virtualization administrators as cloud computing security specialists, and working with experienced managed services providers.
|
|
The research also points out that it is most difficult to recruit mid-career and senior cybersecurity professionals while fewer organizations have trouble recruiting entry-level security staff or cybersecurity leadership (see Figure 20).
|
|
While organizations find it difficult to recruit and hire cybersecurity staff, security professionals are constantly being recruited for new positions with promises of higher pay, better benefits, and an assortment of perks. In fact, 70% of the cybersecurity professionals surveyed are solicited to consider other job opportunities at least once per month (see Figure 21). Furthermore, 71% of survey respondents believe that the frequency/volume of job solicitations has increased over the past few years. Cybersecurity truly remains a seller’s market.
|
|
In 2021, survey respondents were once again asked to identify who is responsible for addressing the cybersecurity skills shortage. Respondents indicate that CISOs/CSOs really own this problem (see Figure 22). Are these individuals and the organizations they work for doing enough to address the cybersecurity skills shortage? Not according to survey respondents, as 27% believe their organization could be doing somewhat more to address the skills shortage while nearly one-third (32%) say their organizations could be doing much more here (see Figure 23).
|
|
As previously stated, this data reinforces the need for CISOs/CSOs and the organizations they work for to plan for staff and skills shortages by including plans for additional use of professional/managed services and process automation. Organizations should also research, test, and pilot “smart” security solutions based on advanced analytics. These technologies vary widely in terms of efficacy and should be approached cautiously, but their potential to augment human skills in the future is worth pursuing.
|
|
With most respondents believing that their organizations could do more to address the skills shortage, ESG and ISSA asked them for some specific recommendations (see Figure 24). Cybersecurity professionals suggested actions like increasing the commitment to cybersecurity training, increasing compensation, providing additional perks, and creating or improving a cybersecurity internship program.
|
|
The top three recommendations are clear; organizations need to offer competitive compensation, benefits, and training opportunities to attract top cybersecurity talent. Aside from these basics, survey respondents have some additional advice such as looking beyond security and IT for talent, working more closely with cybersecurity professional organizations, and increasing work with local colleges and universities. In summary, successful cybersecurity recruiting requires a bit of experimentation and creativity. Organizations should take chances with the goal of creating programs that are attractive to the cybersecurity community. CISOs should gather further feedback and enlist the HR department’s help to create this type of environment.
|
|
|
|