Right about now many organizations are starting to put together their budgets for 2022 that will include allocations for security. At the core of those calculations every year is determining how much to allocate to licensing security platforms versus the salaries of the professionals required to employ them.
Given the general shortage of cybersecurity expertise in the world, the salary issue is top of mind. It’s more difficult than ever to hire and retain cybersecurity talent, an issue that has become even more challenging now that more organizations in the wake of the COVID-19 pandemic are a lot more comfortable recruiting IT talent wherever they might find it.
A recent survey of 489 security professionals conducted by the Enterprise Strategy Group (ESG) on behalf of the Information Systems Security Association (ISSA) finds more than three quarters (76%) of respondents (76%) say it is extremely or somewhat difficult to recruit and hire security professionals.
Naturally, the reason for this has a lot to do with the current imbalance between supply and demand. Well over a third of the respondents (38%) said their organization doesn’t offer competitive compensation.A recent survey of 489 security professionals conducted by ESG on behalf of ISSA finds 76% of respondents say it is extremely or somewhat difficult to recruit and hire security professionals.Click To Tweet
A significant number of survey respondents also noted their human resources (HR) department doesn’t understand the skills needed for cybersecurity, while a quarter (25%) said the job postings their organization tends to be unrealistic. Well over half of the respondents (59%) said their organization could be doing more to address the cybersecurity skills shortage.
The skills shortage, of course, impacts every security professional. The survey noted the skills shortage results in increased workload (62%) and higher burnout among staff (38%). Half of the respondents also noted that job stress levels increased this past year because of the increased number of remote workers brought on by the need to combat the COVID-19 pandemic. Overall, 57% of respondents said their organization has been impacted by the cybersecurity skills shortage.
A full 95% said the cybersecurity skills shortage has not improved over the past few years, with 44% reporting the situation has only worsened. A total of 70% of respondents also noted they have been solicited at least once a month by recruiters to consider another job.
Savvy cybersecurity leaders know that the decision to remain with an organization involves more than compensation considerations. Survey respondents ranked an organization’s commitment to cybersecurity higher (43%) than compensation (39%). Other factors include the quality of the cybersecurity team (33%) and the ability to advance their cybersecurity career (32%).
Those same cybersecurity leaders also know there is no cavalry coming over the proverbial hill any time soon. They may be able to rely more on managed security service providers for help, but security budgets are finite. The only real way to compensate for security talent that can’t be found is to rely more on automation to augment the capabilities of the cybersecurity staff.
Cybersecurity leaders will need to carefully evaluate both the level of automation attainable via security platforms as they make their plans for 2022 as well as the return on investment they are getting from legacy platforms. Like it or not, cybersecurity is an arms race that requires the ongoing modernization of platforms to combat new threats as they appear. No amount of automation will replace the need for cybersecurity professionals any time soon. The real issue will be striking the right balance as part of an effort to make every dollar invested in cybersecurity have the highest return possible.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.