Working in cybersecurity in 2022: The good, the bad and the ugly
We have heard for years now that the cybersecurity field offers job security, good salaries, and continuous opportunities for growth. At the same time, we have also heard from recruiters about the difficulty in finding good talent and from IT leaders that those in the corner office still aren't prioritizing cybersecurity as they should.
But are these claims backed by the numbers? And are there other trends we should be watching for in the years ahead?
One source of ground truth can be found in The Life and Times of Cybersecurity Professionals 2021, Volume V, a research project completed by The Enterprise Strategy Group and the Information Systems Security Association (ISSA), released in July 2021.
This article will highlight what it is really like working in the cybersecurity field from the inside out, including the good, the bad and the ugly.
FREE role-guided training plans
The value of cybersecurity professional development
One of the most notable findings in ESG's studies was how pronounced cybersecurity professionals believed their organizations were failing them when it came to ongoing professional development.
For example, while 91% of respondents agree that cybersecurity professionals need to find the time to keep up to date with their skills or their organizations could suffer, 59% percent acknowledge that their "job requirements often get in the way." Making matters worse, most respondents (67%) agreed that they've had at least one job "in which I've worked for an organization that really doesn't understand or fund cybersecurity well."
These trends stand in stark contrast to how businesses are quick to note how they are struggling to address the negative effects of the large and lingering cybersecurity skills gap.
When ESG asked respondents what their organizations could do to address the cybersecurity skills shortage, their top suggestions were to increase:
- The organization's commitment to cybersecurity training
- Compensation levels to make them more competitive
- Incentives like paying for certifications or participation in industry events
Cybersecurity professionals noted such investments helped balance out the on-the-job experiences that they gained. For example, 52% said that "hands-on experience is more important than certifications," while 46% emphasized the benefits of hands-on experience and earning a certification.
Diverging views of the cybersecurity skills gap
In addition to seeing the value of investing in and prioritizing continuing education differently, cybersecurity professionals and their employers also disagree on several key elements of the cybersecurity skills gap.
While more than three-quarters of ESG's respondents say that it is "extremely or somewhat difficult to recruit and hire security professionals, "only 44% of professionals believe the skills gap has received the right amount of attention from their employers." An additional 23% believe that the issue "has been understated."
Making matters worse, 29% believe that their "HR department doesn't understand the skills needed for cybersecurity," and 25% claim "that job postings at their organization tended to be unrealistic."
Despite these differences in perspectives in filling key cybersecurity job functions, respondents to the ESG study stated that the industry's overall skills shortage has less impacted them. Namely, only 57% of organizations state that they have been affected by the skills shortage, down from 70% in 2020 and 73% in 2019. The top three jobs identified as focus areas for hiring include cloud computing security, security analysis and investigations and application security.
The value of experienced cybersecurity professionals
Despite gains in the sophistication and awareness of security tools and controls, having experienced cybersecurity professionals has never been more critical to an organization's security posture.
The ESG study found that one-third of respondents revealed that, despite having the right technology in place, failing to have the right staff in place "has led to a situation where the cybersecurity team is unable to learn or utilize some security technologies to their full potential." In other words, as organizations move through the business processes of researching, testing, implementing, configuring and deploying a security product, their failure to equally value the role of experienced cybersecurity professionals has left them in a vulnerable position.
Across the cybersecurity profession, the Certified Information Systems Security Professional (CISSP) credential from (ISC)² was viewed as the most important and popular (51%) for landing a job in the field, followed by the ISACA CISM, CompTIA Security+, ISACA CISA and ISACA CRISC certifications.
More broadly, when respondents were asked what skills were the most helpful for those looking to make a move from IT into the security field, the top responses included:
- IT operations knowledge and skills (61%)
- Analytics skills (53%)
- Hands-on technology knowledge and skills (48%)
- IT-related business skills (42%)
What should you learn next?
Looking ahead
While the ESG study captured the perspectives, experiences and thoughts of just a subset of cybersecurity professionals at just one point in time, the results continue to paint a powerful picture of the health and future of the industry.
Notably, the study highlights the need for organizations to focus on increasing the value and investment that they place on security, including growing junior talent and supporting overall professional development. The top suggestions provided by the respondents on what organizations could focus on the most in the years ahead (increasing their commitment to cybersecurity training and directly supporting training ) can help organizations fill their vacant roles and improve their overall cybersecurity resilience. A true win-win for the cybersecurity profession.
Sources
- The Life and Times of Cybersecurity Professionals 2021, Volume V, The Enterprise Strategy Group and Information Systems Security Association
- The cybersecurity skills gap persists for the fifth year running. TechRepublic.
Get unlimited and self-paced training for you or teams in your organization with Infosec Skills.
- 190+ role-guided learning paths
- 100s of hands-on labs & cyber ranges
- Custom certification practice exams
In this Series
- Working in cybersecurity in 2022: The good, the bad and the ugly
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity