The cybersecurity skills shortage is increasing, and it's having a negative effect on information security professionals and their organizations.

According to ESG research, 51 percent of organizations report having a “problematic shortage” of cybersecurity skills in 2018. This is up from 45 percent in 2017.

This skills shortage has multiple implications. Organizations don’t have the right sized teams and operate in a perpetually understaffed mode. Often, the cybersecurity team lacks some advanced skills in areas like security analytics, forensic investigations, or cloud computing security, putting more pressure on the most experienced staffers to pick up the slack.

Finally, many organizations are so busy with day-to-day security operations that they have little time for ongoing cybersecurity training.

According to research from ESG and the information systems security association (ISSA), 62 percent of cybersecurity professionals believe their organization is not providing an adequate level of training for them to keep up with business and IT risks.

The cybersecurity skills shortage affects infosec professionals

Clearly the cybersecurity skills shortage is affecting organizations, but what’s often overlooked is the impact it has on the cybersecurity pros in the trenches. For example, the ESG/ISSA research indicates:

70 percent of cybersecurity professionals say the cybersecurity skills shortage has had some impact on their organization. Of course, they are living this impact.

63 percent of cybersecurity professionals say the cybersecurity skills shortage has increased the workload on existing staff. More work and stress at the same salary is a surefire recipe for dissatisfied employees and high attrition.

41 percent of cybersecurity professionals say the cybersecurity skills shortage has led to a situation where the infosec staff spends a disproportional amount of time dealing with high-priority issues and incident response. This means that many cybersecurity pros face a high-stress workplace from the beginning to the end of their workdays.

68 percent of cybersecurity professionals believe that a cybersecurity career can be taxing on the balance between one’s personal and professional life. In other words, infosec pros are taking the pressure of their jobs home with them. It’s safe to assume that this can leads to issues like substance abuse and others.

38 percent of cybersecurity professionals say the cybersecurity skills shortage has led to high burnout rates and staff attrition. This affects cybersecurity pros and the organizations they work for.

It’s worth remembering that cybersecurity pros tend to take their jobs very personally. To paraphrase Elliot Alderson (of Mr. Robot), cybersecurity professionals want to save the world, so they become emotionally invested in their careers, adding to the stress levels. Alarmingly, the ESG/ISSA research also reveals that 60 percent are not very satisfied with their current job. Since many of these folks are suffering from cybersecurity job fatigue, can you blame them?

At the risk of continuing to sound like Chicken Little, I believe the cybersecurity skills shortage represents an existential threat to all of us. The organizations we regularly trust with our data don’t have enough trained people or advanced skills to adequately protect it. Furthermore, the cybersecurity professionals they depend upon are overworked, highly stressed, and prone to burnout.

Cybersecurity job fatigue is real

No one is talking about it, but I believe cybersecurity job fatigue is a real, growing, and troubling problem, exacerbated by the global cybersecurity skills shortage and the increasingly dangerous threat landscape. To address this, CISOs must assess the state of mind of key staff members, create work schedules to rotate personnel off the front lines, and provide the right levels of support, stress relief programs, and career counselling.

(Author's note: The term PTSD was changed to job fatigue. Use of the term was inappropriate, and I apologize for including it and any upset it caused.)