According to the most recent research report from ESG and the Information System Security Association International (ISSA), 57 per cent of organisations claim that they’ve been impacted by the global cyber security skills shortage, while 44 per cent of organisations believe the skills shortage has gotten worse over the past few years.
The result? Increasing workloads on existing cyber security staff, job requisitions open for weeks or months, and high burnout rates and attrition for cyber security professionals. ESG and ISSA will update and present their latest research at this year’s RSA conference.
The most understaffed cyber security roles
Which jobs are most understaffed? According to ESG research from late 2022, 37 per cent of organisations have a shortage of security architects. Based on my experience, this shortage is acute in two areas: Cloud security architects and those focused on technology integration (i.e., consolidating multiple technologies into a cohesive platform architecture).
Meanwhile, 35 per cent of organisations have a shortage of security engineers. Security engineers are the folks who install, configure, and maintain security solutions, so a lack of security engineers equates to suboptimal use of security technology.
ESG is also seeing growing demand for individuals skilled in detection engineering (i.e., detection as code, Sigma/Yara rules creation, etc.) Thus, the proliferation of vendors such as Anvilogic, CardinalOps, and SOC Prime aim to bridge the detection engineering gap.
Also, 34 per cent of organisations have a shortage of tier-3 SOC analysts. These are the most experienced SOC analysts who get the difficult escalations/investigations and are often tasked with proactive threat hunting. In lieu of tier-3 analysts, organisations have no choice but to ask generalists to do specialist work.
Delving deeper, 33 per cent of organisations have a shortage of vulnerability management analysts. A shortage here leads to increased cyber risk as IT assets remain undiscovered, misconfigured, and vulnerable.
In addition, 31 per cent of organisations have a shortage of CISOs, BISOs, or other senior cyber security positions. This shortage means that many organisations are operating security programs without the necessary leadership to identify cyber risk, manage an enterprise security program, and work with executives to align security with the business. Very scary!
Why a down economy will make the cyber security shortage worse
We’ve been dealing with the cyber security skills shortage for years, but there’s a bit of a new wrinkle here: the current state of the economy. Over the next 12 to 18 months, economic headwinds will exacerbate the impact of the cyber security skills shortage. Here are my two cents:
1 - Cyber security pros will be more selective about job shopping:
Over the past 10 years, security professionals have been offered generous compensation packages, often tied to stock options. Now that the markets are down and IPOs are nowhere to be seen, security professionals will eschew equity for cold hard cash.
Beyond compensation alone, economic turmoil tends to drive more risk-averse behaviour. Cyber security professionals are likely to hunker down, take a cautious approach to career progression, and wait for the economic storm to clear. These behaviour changes may be felt most in Silicon Valley where risky career moves and equity are standard operating procedure.
2 - Increasing use of security services will drain the talent pool:
Look at anyone’s research and you’ll see that more organisations are turning to managed services to augment overburdened and under-skilled internal security staff. For example, recent ESG research on security operations indicates that 85 per cent of organisations use some type of managed detection and response (MDR) service, and 88 per cent plan to increase their use of managed services in the future.
As this pattern continues, managed security service providers (MSSPs) will need to add headcount to handle increasing demand. Since service provider business models are based on scaling operations through automation, they will calculate a higher return on employee productivity and be willing to offer more generous compensation than typical organisations.
One aggressive security services firm in a small city could easily gain a near monopoly on local talent. At the executive level, we will also see increasing demand for the services of virtual CISOs (vCISOs) to create and manage security programs in the near term.
3 - Hiring freezes will get in the way:
During economic downturns, organisations often make draconian blanket decisions like cutting training, reducing the workforce, or freezing all new hires. When this happens, CISOs must fight with HR for each individual necessary hire, slowing down the employment process and forcing organisations to manage security despite being understaffed or lacking critical skills.
Yup, economic headwinds throw a wrench in the works for CISOs – especially those already dealing with security staffing and skills issues. What can they do? Increase training budgets, reinforce their commitments to key employees, work with vendors to get the most out of their products, and supplement staff with service providers.