At the end of each year, ESG conducts a wide-ranging global survey of IT professionals, asking them about challenges, purchasing plans, strategies, etc. As part of this survey, respondents were asked to identify areas where their organization has a problematic shortage of skills.

In 2018-2019, cybersecurity skills topped the list — 53 percent of survey respondents reported a problematic shortage of cybersecurity skills at their organization. IT architecture/planning skills came in second at 38 percent.

The cybersecurity skills shortage is nothing new. Alarmingly, the cybersecurity skills deficit has held the top position in ESG’s annual survey every year. (Note: I am an employee of ESG.) Furthermore, the percentage of organizations reporting a problematic shortage of cybersecurity skills continues to increase. Here are the results from the last four surveys:

2018-2019: 53 percent of organizations report a problematic shortage of cybersecurity skills

2017-2018: 51 percent of organizations report a problematic shortage of cybersecurity skills

2016-2017: 45 percent of organizations report a problematic shortage of cybersecurity skills

2015-2016: 42 percent of organizations report a problematic shortage of cybersecurity skills

Now, people like me have been talking about the cybersecurity skills shortage for years, and there are a lot of worthwhile industry and academic programs in place to address this issue. Despite these efforts, however, research from ESG and others indicates that the cybersecurity skills shortage is getting incrementally worse each year.

I know I sound like a cybersecurity Chicken Little here, but it is my firm believe that the cybersecurity skills shortage represents an existential threat to all of us, and our current approach to rectifying this situation is not working. In fact, I would argue that we treat the skills shortage rather cavalierly. We mention it, host panels at RSA, and crow about small wins, but we (as an industry, profession, and nation) haven’t put the time or resources into any type of national strategy to address it.

How to fix the cybersecurity skills shortage

What’s needed to address the cybersecurity skills shortage? Here are some ideas;

Massive federal leadership. To me, the cybersecurity skills gap is a true national emergency, albeit a slow and rather geeky one. I’d like to see some real leadership out of Washington with scholarship funding, a national awareness campaign, and departmental programs driven by the departments of commerce, education, energy, homeland security, and justice. It would also be worthwhile to reappoint a highly visible cybersecurity czar and make him or her responsible for establishing metrics, driving programs, and reporting back to the nation on progress. In lieu of a national program (which I’m sad to say is unlikely to happen), the states should step up, following the leadership of Maryland’s statewide strategy.

To me, the cybersecurity skills gap is a true national emergency, albeit a slow and rather geeky one. I’d like to see some real leadership out of Washington with scholarship funding, a national awareness campaign, and departmental programs driven by the departments of commerce, education, energy, homeland security, and justice. It would also be worthwhile to reappoint a highly visible cybersecurity czar and make him or her responsible for establishing metrics, driving programs, and reporting back to the nation on progress. In lieu of a national program (which I’m sad to say is unlikely to happen), the states should step up, following the leadership of Maryland’s statewide strategy. A more thorough public/private partnership. President Obama initiated an effort to bridge the gap between Silicon Valley and Washington. President Trump should carry the torch forward with a more focused effort on working with the cybersecurity technology community. Israel’s model is worth studying, as it does a good job of bridging relationships between the military, government agencies, academic institutions, cybersecurity vendors, and venture capitalists. Washington should strive for a similar model.

President Obama initiated an effort to bridge the gap between Silicon Valley and Washington. President Trump should carry the torch forward with a more focused effort on working with the cybersecurity technology community. Israel’s model is worth studying, as it does a good job of bridging relationships between the military, government agencies, academic institutions, cybersecurity vendors, and venture capitalists. Washington should strive for a similar model. An integrated industry effort. Rather than go it alone, large cybersecurity and technology vendors such as Amazon, Check Point, Cisco, Dell, Facebook, Google, HP, IBM, McAfee, Microsoft, Oracle, Palo Alto Networks, Symantec, and Trend Micro should pool their resources and talent to come up with strategies and programs for cybersecurity training. An industry-wide organization would have tremendous visibility and power to get the job done.

Of course, CISOs can’t wait around for government agencies and technology vendors to get their acts together. In the meantime, security managers must take the cybersecurity skills shortage into account with every decision they make. Organizations should also strive for continuous training of their cybersecurity staff and encourage cybersecurity personnel to participate in professional organizations, such as ISSA, while investing in new security technologies built for automation, integration, and streamlined operations.

Finally, CISOs must take a portfolio management approach to cybersecurity workloads and be open to outsourcing tasks to service providers when necessary or expedient.