Survey: Cybersecurity Skills Shortage is ‘Bad,’ But There’s Hope

Automation, strategic process design and an investment in training are the keys to managing the cybersecurity skills gap, according to a recent survey from Trustwave.

More than half of cybersecurity professionals in a recent survey — 57 percent — reported that the cybersecurity skills shortage is either “bad” or “very bad” at their companies.

That’s according to a recent survey and whitepaper published by Trustwave, which also outlined a prescription for addressing the problem: A savvy combination of on-the-job training, strategic security design and the implementation of automation where appropriate.

The report, titled “How to Minimize the Impact of the Cybersecurity Skills Shortage,” asked 130 cybersecurity professionals working in mid-to-large-sized businesses how they viewed the current landscape.

“Enterprises across all industries face increasing cybersecurity threats,” Jesse Emerson, vice president of managed-security services at Trustwave, said in an email to Threatpost. “At the same time, organizations struggle to find the skilled cybersecurity professionals they need.”

The report added almost half of those younger than 25 said they would rather use their skills for fun or “secretive activities” than fighting cybercrime. However, there are some positive signs of the tide shifting toward more investment in ethical hacking, thanks in part to an increase in popularity of bug-bounty programs in the wake of the pandemic.

What’s Driving the Skills Shortage?

Increasing exposure, ferocious growth in cybercrime numbers and a lack of qualified cybersecurity professionals to combat rising threats has created a critical shortage of manpower in the cyber-defense sector.

On top of that, these are stressful jobs, the report explained, exacerbated by staff being stretched to their limits. And, a rapid charge to the cloud and exploding numbers of remote workers during the pandemic are expanding attack surface at an unprecedented rate.

One in nine of those surveyed reported “very high stress,” with that number expected to hit one in five (20 percent) by next year.

“It’s a job that’s almost doomed to failure, and repeated failure at that,” the report explained. “‘Assume you’ve been breached’ is common advice across the cybersecurity industry, which doesn’t engender feelings of efficacy in cybersecurity professionals for their ability to do a great job. More than 90 percent of cybersecurity professionals believe cybercriminals outgun them, and that their organizations are vulnerable to a significant cyberattack.”

Making recruiting and retaining cybersecurity talent even more challenging, the report said, is the reality that cybersecurity pros are often actively headhunted and lured away from jobs, with the promise of bigger paychecks and cushier benefits with other companies.

All of this is making it challenging for companies to keep up. In Sept. Forrester declared that  enterprise security teams are “drowning in alerts,” with the average security-operations group getting more than 11,000 security alerts daily.

“Our survey of cybersecurity professionals showed that the skills shortage is having a serious, negative impact on organizations’ ability to perform a variety of key cybersecurity functions,” Emerson added. “These include proactively threat hunting, acting on threat intelligence and performing security testing among others.”

The prescription, according to the Trustwave report, is a “three-pronged approach of people, process and technology.”


The shortage of skilled people requires business to both make the most out of the staff you have by automating processes where it makes sense. The report identifies four areas where it might make sense to automate.

These included identity and access management; malware detection; vulnerability analysis and patching; and artificial intelligence and machine learning – all of which help to identify potential attacks.

The Sept. Forrester report found that only 13 percent of organizations they surveyed were using automation and machine learning to identify and respond to threats.

Invest in Training

Once those processes have opened time for staff, the report suggests it’s important to both invest in ongoing training, as well as provide time for strategic thinking and planning.

Better training keeps people up-to-date on the latest threats, builds employee loyalty and provides a path for entry-level staffers to build knowledge and experience, according to the survey.

The report added that more training also means a “greater likelihood of developing strong and resilient security practices across the organization, taking into consideration the current threat landscape.” It added, “Broader and deeper skill competencies give cybersecurity professionals the ability to see beyond the latest flurry of alerts to the more fundamental changes needed for proactive defense.”

Managed Services

Beyond training and automation, the report suggests considering managed security services bring in expertise and supplement existing resources.

“What’s needed, in combination with better training, is the adoption of new advanced security services and technologies that create leverage of the time and efforts of each cybersecurity professional,” the report said.

Trustwave concluded, “Key services and technologies to start investigating offer automation capabilities (for reducing manual processes), leverage artificial intelligence and machine learning (to identify hidden patterns in alert and threat data, among others), orchestration and aggregation (to support better identification and prioritization of threats and incidents), and managed services that will offload much of the labor burden.”

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.



Suggested articles