A study has revealed that nearly two-thirds (65%) of cybersecurity professionals struggle to define their career paths.

The study by the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) found two big “red flags”: The majority of cybersecurity professionals aren’t receiving the right level of skills development to address the rapidly evolving threat landscape. And the skills shortage has created a job market that represents an existential threat, adding job-related stress to cybersecurity personnel while making it harder for organizations to protect critical IT assets.

When it comes to the CISO, the research found that he or she succeeds or fails based upon leadership skills and face time with executive management and the board of directors. Also of concern is that cybersecurity relationships with business and IT groups need work.

“This research paints an escalating and dangerous game of cybersecurity ‘cat and mouse’ and today’s cybersecurity professionals reside on the front line of this perpetual battle, often knowing they are undermanned, underskilled and undersupported for the fight,” said Jon Oltsik, Senior Principal Analyst, Enterprise Strategy Group (ESG).

Based upon the data collected, “The State of Cyber Security Professional Careers (Part I): An Annual Research Project (Part I)” conclusions include:

  • Nearly two-thirds (65%) of respondents do not have a clearly-defined career path or plan to take their careers to the next level: This is likely due to the diversity of cybersecurity focus areas, the lack of a well-defined professional career development standard and map, and the rapid changes in the cyber security field itself.
  • Continuous cyber security training is lacking: When asked if their current employer provides the cybersecurity team with the right level of training to keep up with business and IT risk, more than half (56%) of survey respondents answered “no,” suggesting that their organizations needed to provide more or significantly more training for the cybersecurity staff.
  • Cyber security certifications are a mixed bag: Over half (56%) of survey respondents had received a CISSP and felt it was a valuable certification for getting a job and gaining useful cyber security knowledge. Other than the CISSP certification however, cybersecurity professionals appear lukewarm on other types of industry certifications. Based upon this data, it appears that security certifications should be encouraged for specific roles and responsibilities, but downplayed as part of a cybersecurity professional’s overall career and skills development.
  • Cybersecurity professionals are in extremely high demand. Forty-six percent (46%) of cybersecurity professionals are solicited to consider other cybersecurity jobs (i.e. at other organizations) at least once per week. In other words, cybersecurity skills are a “sellers’ market” where experienced professionals can easily find lucrative offers to leave one employer for another. This risk is especially high in lower paying industries like academia, health care, public sector, and retail.
  • Many CISOs are not getting enough face time in the boardroom, a significant contributing factor to CISO turnover. While industry rhetoric claims that “cyber security is a boardroom issue,” 44% of respondents believe that CISO participation with executive management is not at the right level today and should increase somewhat or significantly in the future. Alarmingly, this perspective is more common with more experienced cybersecurity managers (who should be working with the business) than cybersecurity staff members. When asked why CISOs tend to seek new jobs after a few short years, cybersecurity professionals responded that CISOs tend to move on when their organizations lack a serious cybersecurity culture (31%), when CISOs are not active participants with executives (30%), and when CISOs are offered higher compensation elsewhere (27%).
  • Internal relationships need work. While many organizations consider the relationship between cyber security, business, and IT teams to be good, it is concerning that 20% of cybersecurity professionals say the relationship between cybersecurity and IT is fair or poor (surprising given that 78% of cybersecurity professionals got their start in IT) and 27% of survey respondents claim the relationship between cybersecurity and the business is fair or poor. The biggest cybersecurity/IT relationship issue selected relates to prioritizing tasks between the two groups while the biggest cybersecurity/business relationship challenge is aligning goals.

“These conclusions point to the need for business, IT, and cybersecurity managers, academics, and public policy leaders to take note of today’s cybersecurity career morass and develop and promote more formal cybersecurity guidelines and frameworks that can guide cyber security professionals in their career development,” said Candy Alexander, CISO, ISSA Cyber Security Career Lifecycle (CSCL) Chair. “Independent organizations such as the ISSA with its Cyber Security Career Lifecycle (CSCL) are taking the lead on such initiatives. This research data will help the ISSA strengthen its groundbreaking program.”

The report also lays out the “Top 5 Research Implications for Cyber Security Professionals” as a guideline for taking control of the cyber security career lifecycle. Similarly, it lays out the “Top 5 Research Implications for Employers” to help businesses, non-profits, and government agencies appeal to cybersecurity professionals at large.

Added Oltsik, “In spite of these issues however, it is encouraging that 79% of survey respondents strongly agree or agree that they are happy as a cybersecurity professional. Together with a moral imperative that attracts people to the cybersecurity profession, this data point speaks volumes about cybersecurity professionals who are willing to passionately fight the good fight regardless of their personal situations.”