Key findings from “The Life and Times of Cybersecurity Professionals 2020”
Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) recently published its fourth annual report on the experiences of cybersecurity professionals. “The Life and Times of Cybersecurity Professionals 2020” reflects the responses of 327 cybersecurity professionals and ISSA members, predominantly in the US (92 percent) with the remaining eight percent from Europe, Asia and South America.
This survey serves as a clear and direct way to understand and derive insights around the profession of cybersecurity. Some of the findings aren’t new, such as the skills shortage, but new and emerging results are intriguing as well, especially around career paths. The survey took place in late 2019 and early 2020, prior to the coronavirus pandemic, so the findings don’t take these massive changes into consideration.
We’ll take a deep dive into each conclusion and what it means for cybersecurity professionals.
The cybersecurity skills gap worsens
The 2020 report stands as a reiteration to previous reports with lots of concern around the cybersecurity skills gap. The cause of the gap is multi-faceted, and it involves both the lack of planning and strategy on the part of professionals and organizations. Even though there are various courses and certifications for those in the field, there appears to be no clear career path or standardization around upskilling or reskilling.
Without a compass to navigate, the skills gap only gets broader, and 70 percent of respondents said their organization is feeling the impact of this. Further, 45 percent believe it’s getting worse, while 48 percent say it’s about the same. This data is similar to past years, so it’s clear there’s been no substantial improvement.
What’s been the impact of the skill gap on organizations?
The answers from the respondents include things that make the workplace for cybersecurity professionals unrelenting. The top answers were:
- Increased workload
- Job openings stay unfilled for too long
- Hiring inexperienced candidates
- Inability to learn new skills
- High burnout
Why is the cybersecurity skill shortage so alarming?
For cybersecurity professionals, it’s concerning for several reasons:
- They have a larger workload because jobs remain open, which could lead to burnout and frustration
- They are less likely to be able to learn new skills and use them if they are constantly behind due to fewer team members
- They may have concerns that there’s no path to move up in their career if they are too busy putting out fires all day
The study reveals that employees put the onus of addressing this on the CISO/CSO, and only 32 percent feel the organization is taking the right steps to alleviate the problem.
The skill gap is a concern for all stakeholders
For business, government entities and leaders, this should be worrisome as well. Cybersecurity is an essential element of any organization. In fact, it gets even more critical every day, as cybercriminals hone their skills. It comes down to this for many stakeholders: who do you want improving their skills? The hackers or those in the field? The report recommends a new holistic approach to cybersecurity learning at every level of the educational system.
What’s the best approach to addressing the skills gap, holistically?
The ESG defined several key elements in “The Life and Times of Cybersecurity Professionals 2020” report:
- Process automation: Organizations need to eliminate anything manual that can be automated and provide the right tools to standardize this across the enterprise
- Advanced analytics usage: Analytics is a goldmine for organizations to improve alert fidelity, better assess risk scores, identify root causes and augment security data
- Offloading and outsourcing to MSPs (managed service providers): If the tasks aren’t high-value or don’t require expertise, shift them to other parties outside the organization
- Continuous skill development: Businesses should commit to ongoing upskilling for their cybersecurity teams
Career paths aren’t well-defined, but professionals have aspirations
Cybersecurity professionals have a lot of ambiguity about career paths, with 68 percent of respondents confirming they don’t have a clear career path. However, many participants (47 percent) did define where they’d like to end up — as a CISO.
This data point is interesting because the role of a CISO isn’t to contribute to cybersecurity actively. The CISO is a C-suite position that’s visionary and requires a range of skill sets beyond technical knowledge. Those who want to pursue this route need to expand their portfolio of skills around leadership, communication and business operations.
Cybersecurity expertise is more hands-on than credential-driven
The survey added a new question about what was most integral to their career development — hands-on experience or certifications. The results revealed that 52 percent said hands-on, while 44 percent said both are equally important.
What does this mean for the profession? Certifications provide frameworks and foundational knowledge that is then applicable when you’re in the job. It’s clear that both of these things matter; they are just different sides of the same coin.
What contributes to job satisfaction?
The report also seeks to understand how cybersecurity professionals measure job satisfaction. The conclusion is that it’s about much more than money. Respondents defined several other areas that drive satisfaction, including:
- Business’s commitment to cybersecurity
- Support for continuing education
- Working with skilled and talented colleagues
These points should all be part of any company’s cybersecurity recruiting strategy. Engaged and satisfied employees are more productive and loyal. With less turnover comes more benefits for employers: a study found that the cost of employee turnover in midrange positions is 20 percent of the annual salary, and for highly-educated positions, it’s 213 percent.
Training remains inadequate and the tenure to be proficient is in years
Training for any job is imperative to high performance and longevity. If employees start off without any guidelines, it’s hard for them to find success. The report reveals that training is another concerning issue for those in the field, with 36 percent of participants reporting there should be a bit more training and 29 percent saying there should be significantly more training.
The lack of training has been a topic for all four years of the survey, with it continuing to trend up, which is a deficit for the employer and employee. Training isn’t solely the responsibility of the IT department. HR and employee success roles should have involvement, as well.
In addition to training being less than satisfactory, cybersecurity professionals also feel it takes years to really be proficient. Many (39 percent) said that three to five years is the norm. In any career, it takes time and experience to become a true expert. However, cybersecurity has some unique circumstances since it’s an ever-evolving world. You can’t ever stop learning cybersecurity. This revelation ties into the belief that hands-on experience is necessary to learn. It also reiterates the importance of ongoing learning opportunities.
Many see their CISOs as ineffective
A new question for this year in “The Life and Times of Cybersecurity Professionals 2020” was a direct query on the effectiveness of their CISO. The majority (47 percent) said somewhat effective, while 42 percent said they were very effective and 12 percent responded they weren’t effective at all.
This type of question is subjective, and there are many reasons people would reply one way or the other. Respondents may believe their CISOs aren’t effective because they lack technical knowledge or just aren’t good communicators. The best CISOs have a range of skills that allow them to lead but also understand the technicalities. Although, as noted earlier, CISOs aren’t active cybersecurity professionals. They fill a business value role, and maybe those underneath them don’t think they are delivering on this or don’t have awareness around what they do.
Who’s keeping up with cybersecurity?
Another new question for the 2020 survey dealt with what entities have the best handle on cybersecurity challenges. Respondents identified two verticals that are struggling, government agencies and schools. Most said that both these areas should be doing much more to address cybersecurity.
It’s a lot to unpack when looking at how the government and schools manage security. There are many layers: lots of red tape, budget issues and more. The revelation here is that cybersecurity professionals have concerns and don’t see these two critical parts of the country’s infrastructure succeeding in protecting their networks and data.
Cybercriminals have the advantage
The professional cyber-defenders feel they don’t have the upper hand with cybercriminals. The results revealed 67 percent give the advantage to cybercriminals, which is up 8 percent from the previous year.
Since many participants believe they don’t have the support, educational opportunities or leadership, it’s not surprising they feel like the underdogs. It doesn’t, however, mean this opinion can’t change. It comes back to bridging the skills gap and ensuring that companies make cybersecurity a priority, not an afterthought. This requires action and providing professionals with what they need to be successful.
What can stakeholders learn from the survey?
There are some critical insights in this survey from which all stakeholders can learn. Professionals in the field can use this to gauge peers and see if their own assumptions are consistent. It can also give them ideas about how to position their career path and help their organization better understand what’s necessary for a healthy cybersecurity program.
Organizations can heed from this survey that they need to make some adjustments in their information security. They need to provide employees ongoing learning opportunities and ensure they have the tools to do their job well. They also can’t lag behind on adopting new processes and expanding their teams.
Public and private entities need to fundamentally change the future of cybersecurity careers with advocacy, structured educational programs, and a commitment to making security a priority.
There Are Significant Business Costs to Replacing Employees, Center for American Progress