SAN FRANCISCO – Much has been made of the cybersecurity workforce gap, and it appears to be a persistent issue: A full 69 percent of respondents in a recent survey said that they have cybersecurity teams that are understaffed.
According to ISACA’s State of Cybersecurity 2019 survey, released at the RSA Conference 2019 in San Francisco, cybersecurity professionals are still in short supply and hard to find, particularly for roles that require technical proficiency.
In the report, 58 percent of respondents note that their organizations have unfilled cybersecurity positions. The results also show that there has been a 6 percentage-point increase year-over-year of organizations languishing at least six months before they are able to fill open cybersecurity positions – this number rose from 26 percent in 2017 to 32 percent in 2018.
Worse, retaining cybersecurity professionals is exceptionally difficult; competitors increasingly use higher pay and bonuses to pick off employees. Even enticements such as training and certification aren’t proving enough to retain cybertalent.
In fact, a full 57 percent of respondents said their organizations offer increased training as incentives to keep people within an organization – yet an overwhelming 82 percent indicate that most individuals leave their company for another because of financial and career incentives such as promotions.
“We’re in a highly fluid environment where organizations are increasingly challenged by competitive forces,” said Rob Clyde, board chair of ISACA, in a media statement. “Creative and competitive retention efforts are more important than ever in the current environment, and organizations should make it a priority to identify ways to boost their cybersecurity teams.”
The Skills Gap is Real
Examining the makeup of these types of unfilled cybersecurity positions aids in identifying the type of talent missing within the cybersecurity field overall, the report noted.
Most of the vacancies are in technical cybersecurity positions; in fact, 52 percent of respondents said that most open cybersecurity positions at their enterprises are technical cybersecurity positions at the individual contributor level.
In stark contrast, very few cybersecurity executive or C-suite positions are unfilled: About 72 percent of respondents indicated that their enterprises have no cybersecurity executive position openings.
Meanwhile, three-quarters (75 percent) of survey respondents said they expect an increase in hiring demand for technical professionals, relatively in line with the 77 percent response from last year’s survey.
Although the cybersecurity field needs greater technical competence and qualifications, business acumen is also in short supply, the report found.
Half (49 percent) of respondents identified this area as the biggest skills gap, compared with the 34 percent who reported that the biggest gap is in technical skills.
“The most prized hire within a cybersecurity organization is a skilled professional who not only understands the business operation and how cybersecurity fits into the greater needs of the organization, but also knows how to communicate well,” said Frank Downs, director of cybersecurity practices at ISACA, in a media statement.
Gender Diversity Wanes in Significance
At the same time, the report found that gender diversity programs are declining and perceived as less effective than in the past: Less than half of cybersecurity organizations have a gender diversity program in place.
Only 45 percent of the survey’s female respondents said that they believe that both men and women have equal opportunity for career advancement. This represents a downward trend from 51 percent the previous year.
“Attempts to diversify the workforce and create gender inclusion are either not happening enough or are failing to meet employee expectations,” said Clyde. “Respondents do not believe their organizations prioritize increasing the number of women in cybersecurity roles or advancing them within the organization.”
Cybersecurity Budget Increases Are Expected to Slow
Perhaps related to having in-house resources to implement defense solutions, most respondents still expect an increase in cybersecurity budget, although not as much as in the previous year. The survey uncovered that 55 percent of respondents expect an increase in cybersecurity budgets, which is a significant decrease of nine points from last year’s 64 percent.
When asked about funding, 60 percent of respondents indicated that they consider their cybersecurity budget to be underfunded, with nearly a fifth (20 percent) saying they believe their budgets are significantly underfunded.
(For all of Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here.)