Security leaders are facing significant challenges in acquiring the appropriate skills to execute against their strategic objectives.

According to research conducted by global cybersecurity recruitment firm Stott and May, in partnership with Forgepoint Capital, internal skills represent the single most significant barrier to strategy execution for 43% of cybersecurity leaders, who identified budget (35%), technology (13%), and board-level buy-in (9%) as key hurdles. The research provided insight into the thoughts and core priorities of a snapshot cohort of 55 security leaders and examined critical themes, including the skills shortage, inhibitors to strategy execution, and the business perception of cybersecurity functions.

In addition, the research found that security leaders continue to experience challenges sourcing experienced talent, with 73% highlighting it as an area of concern. Time-to-hire also remains a potent issue. 35% pointed to positions being left unfilled after a 12-week period.

Highlights from the research include:

  • The significance of cybersecurity is becoming even more broadly recognized internally, as 80% of security leaders believe their business perceives the function as a ‘strategic priority,’ up from 54% last year.
  • 100% of the sample of cybersecurity leaders now either agree (38%) or strongly agree (62%) that their business feels the function plays a role in improving the overall value proposition to customers.

Commenting on the news, Heather Paunet, Senior Vice President at Untangle, a California-based provider of comprehensive network security for SMBs, explains, “The cybersecurity skills gap exists for multiple reasons. Initially, it was driven by not enough visibility in IT education and as a path to a career. At the same time, cybersecurity was often an afterthought for organizations and was also seen as cumbersome technology that slowed down technology performance. Businesses hired limited cybersecurity professionals, and distributed IT responsibilities across other roles.

“Today, that gap has increased in part due to evolving cyberattacks and high-profile, front-page news cyberattacks that emphasize the necessity for businesses of all sizes to ensure they protect their systems against ransomware attacks and downtime, which can cripple their business. This visibility into what causes attacks and the consequences has led companies to reconsider cybersecurity roles and hire more skilled workers.

“Also having an impact on the skills gap is the government focus on cybersecurity such as the Biden Administration Executive Order (EO) on Improving the United States’ Cybersecurity Stature, the K-12 Cybersecurity Act signed by President Biden, and the guidance issued by the National Security Agency and CISA focused on how to choose the right VPN technology. These EOs and guidance are compelling businesses to take seriously the measures they need to put in place to protect themselves. This includes staffing with the right expertise to follow those guidelines. However, the demand is outpacing the resource pool, which has not caught up yet.

“So, how do we close the gap? First, there is a lack of awareness regarding a career in cybersecurity and its opportunities. There needs to be an industry push to improve the profession’s image. Second, there needs to be an organizational change that recognizes the severity and devastation cyberattacks can cause and make cybersecurity a priority. But companies need to ensure this investment isn’t just in technology but also in their current workforce with continual training, advancement opportunities and recognition.

“In addition, IT education programs need to do the profession justice and emphasize the different roles and careers available in cybersecurity. Recent high-profile ransomware attacks are an opportunity to show students how their path could lead to detecting and stopping attacks or even finding cybercriminals. Lastly, there needs to be societal change to recognize that cyber risks affect everyone and that cybersecurity should be part of daily life, much as accessing the internet. General cybersecurity best practices should not only be taught in the workplace but also in schools, and implemented at home.”