In 2015 the total cost of all cybercrimes was $3 trillion dollars worldwide. By 2021, this figure is expected to double to $6 trillion, as reported by Cybersecurity Ventures. To put that in perspective, only two countries in the world today have an annual GDP higher than $6 trillion. To keep up with the explosion in cyber threats, IT security has become a board level concern for many organizations. To that end, worldwide IT security spend on products and services is expected to grow from $86 billion (2017) to $93 billion (2018), according to Gartner.

Increasing spend on products and services is critical to keeping up with the frequency and sophistication of today’s cyber threats. In 2016, the FBI reported that there were more than 4,000 daily ransomware attacks (up nearly 300% from 2015).

However, one persistent trend that continues to plague the cyber security industry is the security skills shortage. What is especially concerning is the expected growth of unfilled information security positions over the next few years. According to Cybersecurity Ventures, there will be 3.5 million unfilled cybersecurity positions by 2021, up from one million in 2016.

Want to conduct better interviews?

Get a list of the 200 most commonly asked IT security interview questions.

Download Now

There are many factors that play a role in the security skills shortage. A 2017 survey of 343 IT security professionals by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) uncovered some noteworthy trends and statistics.

  • Cybersecurity professional career paths follow a common pattern. 47% of survey respondents got into a cybersecurity role as a chance to pursue technical challenges, 37% state that a cybersecurity career was a natural progression from an IT position, and 36% were attracted by the morality of the profession. This data illustrates the lack of potential future cybersecurity professionals.
  • Cybersecurity professionals struggle to define their career paths. Two-thirds of respondents do not have a clearly defined career path or plan to take their careers to the next level. This is likely due to an ever-changing cybersecurity landscape.
  • Technical certifications remain a niche. New cybersecurity professionals are often overwhelmed by the number of certification options, so they become certified in more than one. ESG/ISSA believes this is not the best option and obtaining multiple certifications won’t lead to a successful career.
  • Most cybersecurity professionals aren’t satisfied with their current job. 60% of survey respondents are somewhat satisfied, not very satisfied, or not at all satisfied with their current positions. This will likely worsen the security skills gap and may lead to higher attrition rates.
  • Most organizations are not providing the cybersecurity staff with adequate training. While 96% of survey respondents agree that keeping their skill set up to date is a career requirement, only 38% of those surveyed believe that their organization is providing an appropriate level of training for them to keep up with business and IT risks.
  • Cybersecurity professionals are in high demand. Nearly half of those surveyed are solicited to consider other cybersecurity jobs at least once per week. This isn’t surprising given the global cybersecurity skills shortage and high demand for top talent.
  • CISOs are not always getting boardroom-level attention. 31% of survey respondents working at organizations that employ a CISO (or equal position) believe that their CISO does not have an adequate level of participation with executive management or the board of directors.
  • Organizations face numerous cybersecurity challenges. Survey respondents were asked to identify their organizations’ top security challenges, and they identified (1) a sub-optimal cybersecurity staff (2) too many manual cybersecurity processes, and (3) business managers’ lack of cybersecurity knowledge as the top security challenges.
  • The cybersecurity skills shortage impact is widespread. 70% of survey respondents say that the cybersecurity skills shortage has had an impact on their organization. When asked to identify acute areas of this shortage, respondents identified security analysts, application security specialists, and cloud security experts as areas with the greatest skills gap.

Other factors that result from or exacerbate the IT security skills gap were identified in a survey of 228 IT and IT security professionals conducted in 2016 by Cloud Security Alliance and Skyhigh. Below are some of its key findings.

  • When it comes to budgets, IT executives were nearly five times as likely to expect a decrease in their IT security budget in the next 12 months compared with mid-level managers. Individual contributors are confident that the IT security budget in their organization would increase in the near term. In order to keep up with the growth of cyber threats, all company leaders must be on board and understand the importance of increasing the cybersecurity budget.
  • CISOs may not be prepared for the rapid adoption of public Infrastructure as a Service (IaaS) platforms. 31.2% of an enterprise’s computing resources come from IaaS providers. IT professionals expect that number to rapidly grow to 41.0% of computing workloads in the next 12 months. The growth of IaaS adoption could overwhelm already understaffed IT security departments.
  • Nearly one in five organizations have more than 10 security tools in use that generate alerts, underscoring the fact that alert fatigue is a common complaint among IT security professionals. 40.4% of respondents say that the alerts they receive lack actionable information that can be investigated, and 31.9% report that they ignore alerts sometimes because there are so many false positives. Another 27.7% say their organization experiences incidents for which there was no alert from a security tool.

Although these findings may sound discouraging, there are some positives. The ESG/ISSA survey revealed that:

  • Cybersecurity professionals have solid ideas for skills advancement. When asked how they improve their knowledge, skills, and abilities, 76% of cybersecurity professionals said attending specific cybersecurity training courses, 71% said participating in professional organizations, and 53% said attending industry trade shows.
  • Cybersecurity job satisfaction depends on culture and continuing education. Cybersecurity professionals find job satisfaction from organizations that provide incentives for career advancement, provide an opportunity to work with other skilled cybersecurity professionals, and support a strong commitment to cybersecurity by business leaders.
  • ISSA members have suggestions to improve cybersecurity. When asked what would be most beneficial for their organizations’ overall cybersecurity, survey respondents suggested adding goals and metrics for business and IT managers, documenting and formalizing cybersecurity processes, and hiring additional staff.

To help address the IT security skills shortage, organizations should invest in security professionals while transitioning their current IT teams towards a security role, especially since a lot of traditional IT responsibilities are being offloaded to cloud service providers.

Companies should promote cybersecurity as a career path, educate a broader population on cybersecurity career opportunities, encourage obtaining certifications, and urge attending security tradeshows and training sessions. They should offer regular training to develop security skills that are in demand such as incident response management, big data analytics, and cloud security.

Additional Resources

Below is a list of online educational resources that can help IT professionals take their cybersecurity career to the next level.

  • Pluralsight: Focuses on penetration testing, digital forensics, and security auditing. Individual membership costs $29 per month.
  • Cybrary: Free online classes including topics on penetration testing, ethical hacking, malware analysis, reverse engineering, and industry certifications.
  • SANS Institute: A nonprofit with training topics including mobile device security, network penetration testing and intrusion detection, to forensics and IT security planning.
  • National Initiative for Cybersecurity Careers and Studies: Both classroom-based and online courses. You can search for classes based on location, subject, proficiency level, and delivery method.
  • Stanford University Center for Professional Development: Courses such as Emerging Threats & Defenses and Network Security can be taken individually or as part of a six-course Advanced Computer Security certificate program. Tuition is $495 per class.
  • (ISC)2 CISSP Training: This certification is focused on the operations side of security. Areas covered by the only course include security and risk management, communications and network security, security assessment and testing, and risk management, among others. Cost for the on-demand seminar is $2,495.
  • (ISC)2 CCSP Training: The Certified Cloud Security Professional credential is widely recognized in the industry. They have an on-demand course from that helps prepare you to take the CCSP exam. Cost of the training is $495.
  • InfoSec Institute: The institute offers both online and offline options that has nearly a hundred courses and boot camps for certifications. Topics include information assurance, security coding, and virtualization.
  • Carnegie Mellon University: CMU’s Software Engineering Institute has several self-paced online courses, including big data architecture and technologies, and information security risk assessment.
  • Coursera: Delivers an education platform that offers free and low-cost courses. Some information security classes include: cryptography, a six-course cloud-computing specialization, and cyber security and mobility, designed for those who want to move into a management role in mobility.
  • ICS-CERT: Classes generally focus on control systems, but some extend into broader topic areas.
  • Texas A&M Engineering: A free 10-hour course on cyber incident analysis and response is part of FEMA training and is geared toward emergency services providers such as those in healthcare.