It has become increasingly apparent that the term “cybersecurity” is the go-to word for hot topics in the media, as organizations are in hiring frenzies looking to recruit top talent. Many security-related institutions have been stating for years that the industry suffers from a severe skills shortage. If you ever catch a talk at a well-known security conference or group meetup, you’re sure to find career recruiters there in need of skilled security professionals. More specifically, many of the positions at these organizations are penetration testing roles.

Of all the roles that are in high demand and short supply, a penetration tester shouldn’t be one of them. Everyone knows that penetration testers are the rock stars of the infosec society. Doesn’t every computer science student and IT professional strive to be a pen tester nowadays? Are there not hundreds of courses teaching penetration testing all over the internet? Anyone can find numerous CTF (capture the flag) competitions online every single day that claim to be fine tuning the next best cyber professionals. Organizations are clearly beginning to recognize the need for pen testing related skills. So, what is the issue? Why is there a shortage?

The third annual global cyber security professionals 2018 research study, conducted by the Information Systems Security Association (ISSA) and the Enterprise Strategy Group (ESG), found that 18% of the organizations stated having a shortage of penetration testing talent. The top six cybersecurity skill sets with the largest shortage are related to areas in cloud, application, security analysis/investigations, risk administration, security engineering, and penetration testing.

Shortages are causing Security Incidents

The report also confirms that the shortage of cybersecurity skills remains the primary reason behind rising security incidents. Organizations remain overwhelmed by a lack of end-user cybersecurity awareness, which, when combined with the inability to keep up with the growing cybersecurity workload amongst inadequately trained security professionals results in a dangerous combination. In fact, 48% of the report’s respondents have experienced at least one security incident over the past two years with serious ramifications including lost productivity, significant resources for remediation, disruption of business processes and systems, and breaches of confidential or sensitive data.

As the growing number of incidents increase year over year, cybersecurity professionals are undeniably skeptical about their chances for success at defending their networks. 91% believe most organizations are vulnerable to a significant cyber-attack. And an overwhelming 94% percent believe that the balance of power is with cyber-adversaries over cyber-defenders. With many industry experts stating their concern over the growing attack surface, organizations face increasingly potentially devastating cyber-risks with detrimental business-related outcomes.

Despite the third straight year of these findings, 63% of organizations continue to lack providing an adequate level of training for their cybersecurity professionals. Year after year, the most critical skills shortages continue to be related to security positions such as penetration testing, as it has consistently remained as an area of concern that lacks the quality level required. In a time where business and organizations are becoming increasingly dependent on technology, they are facing more scrutiny and accountability than ever before. The lack of progress in satisfying the demand for highly qualified security professionals in the field, and the resulting cyber-risk for the companies and their shareholders, customers and partners should be a cause for concern for the organizational and technology leaders that the industry depends on.

Employees are burning out

The research study also reports that a growing trend has been plaguing many IT positions found in businesses and organizations – though many cybersecurity professionals remain dedicated to their craft, heavy technical challenges are beginning to arise where the causes and consequences of stress and burnout are taking hold.

  • Job demanding stress: 40% of IT professionals are finding it stressful to keep up with the security needs of new IT initiatives and getting end-users and the organizational staff to accept and understand cyber-risks to change their behaviour.
  • New PI privacy policy obligations: 84% percent claim that cybersecurity teams in organizations have taken a more active role in protecting personal information and data privacy over the last twelve months, but 21% don’t believe the cybersecurity team has been given clear direction, and 23% don’t believe the cybersecurity team has been given the right level of training.
  • Increased workload: 66% of study participants claim that the cybersecurity skills shortage has resulted in an increased workload on existing staff. Since organizations don’t have enough skilled people, the additional work gets piled onto the employees that they do have. This inevitably leads to IT misconfigurations, human error, misalignment of tasks to skills, and employee burnout.
  • Inability to utilize security tools: 47% of respondents claim that the cybersecurity skills shortage has resulted in an inability to fully learn or utilize security technologies to their full potential. Organizations are purchasing expensive security tools but not finding the time to implement them due to lack of experience or resources to take full advantage of them. Product quality won’t matter if no one on the IT team knows how to use it properly.
  • Promote junior staff vs hiring experienced professional: 41% of respondents claim that the cybersecurity skills shortage has resulted in having to recruit and train junior employees rather than hire experienced cybersecurity professionals. As more organizations are trying to fill these skilled roles, they are taking more desperate measures to address their growing needs – though not necessarily the right ones.
  • Misaligned business and technology goals: 40% of respondents claim that the cybersecurity skills shortage has resulted in limited time to work with business units to align cybersecurity with business processes. This is counter-intuitive to the success of any business. Organizations are expanding their use of technology as part of their business mission, yet the cybersecurity staff doesn’t have enough time to work with the business to mitigate risk or safeguard business processes.

It’s worth noting that the cybersecurity skills shortage is about skills and not just job vacancies. It’s critical that organizations change their approach to hiring pen testers to ensure stability and success. The alternative – suffering a data breach due to a weak architecture or infrastructure – is unacceptable today; according to the study, the skills shortage is worsening for the third year in a row and has impacted 74% of all global organizations. Many countries like the United States and the United Kingdom have been forced to issue execute orders and add cybersecurity professionals such as penetration testers to the Government’s shortage occupation list (SOL).

What is your organization prepared to do to protect itself? Our industries are controlled by ones and zeros, which makes the cybersecurity skills shortage an existential threat to our way of life. It’s time to address these issues with a true sense of urgency.

Take comfort in the fact that at Packetlabs our entire objective is built upon guiding organizations through the process of discovering how vulnerable they are to a cyber-attack. Our cybersecurity experts are world renowned with the highest certification in the industry. All of our penetration testers come from a strong foundation of both practical skills and academic experience that create a multi-faceted security professional. We have a thorough knowledge of various security tools and analysis techniques that can be used to conduct a comprehensive evaluation of your defenses. Allow us to find the exploitable flaws in your organizational architecture to help prevent malicious actors from discovering and utilizing them first. Contact us to see how we can help.