Networking, Security Staff Acquisition & Development

Cybersecurity Skills Shortage Holding Steady

Author: Jon Oltsik

The cybersecurity skills shortage is nothing new—I’ve been writing about it for years, as have other analysts and researchers.  I’ve also done countless presentations on this topic. Here’s a video where I’m interviewed on the cybersecurity skills shortage at the RSA Conference a few years ago. I also presented on this topic at the RSA Conference that same year.

I keep writing about the cybersecurity skills shortage for one consistent and troubling reason—it ain’t getting any better. Here’s a few data points to back up this claim:

  • As part of ESG’s annual IT spending intentions research, we asked respondents (i.e., about 600 IT and cybersecurity professionals in North America, EMEA, and the Asia Pacific region) to identify the different IT areas where their organization has a problematic shortage of skills. Cybersecurity has been identified as the #1 problematic shortage area across all of IT for the past 6 years in a row.
  • In 2017, 45% of organizations say they have a problematic shortage of cybersecurity skills. This is right in line with 2016 (46%), but these last two years represented a big increase. In 2015, 28% of organizations said they had a problematic shortage of cybersecurity skills, 25% in 2014, 23% in 2013, and 24% in 2012. The increase over the past two years has me especially concerned.
  • In 2016, ESG published a series of research reports on the state of the cybersecurity profession in collaboration with the Information Systems Security Association (ISSA, Note: The reports are available for free download here). Within this project, 437 cybersecurity professionals and ISSA members were asked whether the global cybersecurity skills shortage has impacted the organization they work at. Twenty-nine percent of respondents responded, “yes, significantly,” while another 40% said, “yes, somewhat.”
  • When the ISSA members were asked to identify the impact of the cybersecurity skills shortage on their organization:
    • 54% said that it increased the workload of the existing cybersecurity staff.
    • 35% said that they’ve had to hire and train junior staff because they had trouble recruiting and hiring more experienced personnel.
    • 35% said that a lack of cybersecurity skills has led to an inability to utilize some security technologies to their full potential.

It is also worth noting that 25% of respondents said that the skills shortage has resulted in a high “burn out” rate among cybersecurity professionals.

All of this data points to a few clear and alarming conclusions:

  1. The cybersecurity skills shortage isn’t getting any better.
  2. The cybersecurity skills shortage is having a real and measurable impact on many organizations.

To me, these inferences indicate that the cybersecurity skills shortage represents an existential threat to all of us. I hope that Mr. Giuliani gives this serious consideration and develops a strategic plan to address the cybersecurity skills shortage and presents it to President Trump as soon as possible.


Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service.