Nearly two-thirds (65%) of cybersecurity professionals struggle to define their career paths—leading to a high turnover rate that opens up big security holes within organizations.
A study from the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) revealed that the skills shortage has created a job market that represents an existential threat to those companies that can’t retain adequate cybersecurity talent, making it harder for organizations to protect critical IT assets.
“This research paints an escalating and dangerous game of cybersecurity ‘cat and mouse,’ and today’s cybersecurity professionals reside on the front line of this perpetual battle, often knowing they are undermanned, under-skilled and under-supported for the fight,” said Jon Oltsik, senior principal analyst at ESG.
A big part of the issue is that nearly two-thirds (65%) of respondents do not have a clearly-defined plan to take their careers to the next level. This is likely due to the diversity of cybersecurity focus areas, the lack of a well-defined professional career development standard and map, and the rapid changes in the cybersecurity field itself.
But also, continuous cybersecurity training is lacking, adding to the lack of focus: When asked if their current employer provides the cybersecurity team with the right level of training to keep up with business and IT risk, more than half (56%) of survey respondents answered “no,” suggesting that their organizations needed to provide more or significantly more training for the cybersecurity staff.
The study also uncovered that cybersecurity certifications are a mixed bag: Over half (56%) of survey respondents had received a CISSP and felt it was a valuable certification for getting a job and gaining useful cybersecurity knowledge. Other than the CISSP certification however, cybersecurity professionals appear lukewarm on other types of industry certifications. Based upon this data, it appears that security certifications should be encouraged for specific roles and responsibilities, but tend to be downplayed as part of a cybersecurity professional’s overall career and skills development.
All of these things lead to job dissatisfaction, which in turn contributes to cybersecurity staff turnover rates. And that means that while many organizations are willingly bolstering their cybersecurity defenses and making cybersecurity a top business and IT priority, 46% of organizations say they have a problematic shortage of cybersecurity skills according to ESG research. And indeed, about 46% of cybersecurity professionals said they are solicited to consider other cybersecurity jobs (i.e. at other organizations) at least once per week. In other words, cybersecurity skills are a sellers’ market, where experienced professionals can easily find lucrative offers to leave one employer for another. This risk is especially high in lower paying industries like academia, health care, public sector and retail.
When it comes to the CISO, the research found that he or she succeeds or fails based upon leadership skills and face-time with executive management and the board of directors. Many CISOs are not getting enough face time in the boardroom, a significant contributing factor to CISO turnover. When asked why CISOs tend to seek new jobs after a few short years, cybersecurity professionals responded that CISOs tend to move on when their organizations lack a serious cybersecurity culture (31%), when CISOs are not active participants with executives (30%), and when CISOs are offered higher compensation elsewhere (27%).
“These conclusions point to the need for business, IT, and cybersecurity managers, academics, and public policy leaders to take note of today’s cybersecurity career morass and develop and promote more formal cybersecurity guidelines and frameworks that can guide cybersecurity professionals in their career development,” said Candy Alexander, CISO, ISSA Cyber Security Career Lifecycle (CSCL) Chair. “Independent organizations such as the ISSA with its CSCL are taking the lead on such initiatives. This research data will help the ISSA strengthen its groundbreaking program.”
Added Oltsik, “In spite of these issues however, it is encouraging that 79% of survey respondents strongly agree or agree that they are happy as a cybersecurity professional. Together with a moral imperative that attracts people to the cybersecurity profession, this data point speaks volumes about cybersecurity professionals who are willing to passionately fight the good fight regardless of their personal situations.”
Photo © Minerva Studio