Being a cybersecurity professional – never an easy job – is becoming even more difficult and stressful, thanks to the increasing complexity of the work, a rapidly expanding attack surface, more attacks, more regulatory requirements, and the growing global shortage of skilled cybersecurity talent.
Those were among the findings in a survey by IT analyst firm Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), an international professional organization for security pros.
Of the 369 ISSA members surveyed for the report – the seventh edition of The Life and Times of Cybersecurity Professionals – 65% said the job of a cybersecurity professional has become more difficult over the past two years, 37% said they’ve considered leaving the profession, and most said their jobs are stressful at least half the time. In addition, the skills shortage is affecting 65% of organizations and 37% of respondents said it has gotten worse over the past two years.
While that’s bad for organizations and their cybersecurity teams, the difficulty finding skilled cybersecurity practitioners is a boon for MSSPs, which often benefit from such crises because organizations need to outsource some of their security functions.
“The cybersecurity skills gap remains a significant concern for organizations worldwide, making it increasingly challenging to protect their digital assets effectively,” Gibraltar Solutions, a Canadian managed IT services provider, wrote last year. “As the threat landscape evolves, MSSPs are poised to play a critical role in closing the cybersecurity skills gap and helping businesses safeguard their valuable data and assets.”
The Gap Widens
The shortage is growing. ISC2, another member organization for cybersecurity pros, said in its own security workforce study this year that there are 5.5 million people in the global cybersecurity workforce now – up 0.1% year-over-year – but that the size of the workforce gap grew 19%, to 4.8 million. The world needs 10.2 million cybersecurity professionals in the workforce, an 8.1% increase, according to the study.
The current workforce – the size of which has essentially stalled over the past year – doesn’t bode well for the near future, the authors wrote.
“While it can be argued that this reflects overall stability within the cybersecurity workforce in the face of economic and workforce retention pressures across sectors, it also highlights a concerning shortage of entry points for new talent and a lack of opportunities to address skills and personnel shortages with new talent and on-the-job learning,” they wrote.
The Gap's Ripple Effect
The impact of the skills shortage reaches far, according to ESG and ISSA’s report. About 59% of respondents said it’s increased workloads on existing staff, with 40% saying that it’s made it impossible to fully learn and use some security technologies to their full potential.
“Security technology vendors should be alarmed by this data point and invest in the appropriate resources for customer success,” the report’s authors wrote. “As in 2023, other issues include high rates of employee burn out, jobs remaining open for lengthy periods, and the need to hire and train junior rather than experienced cybersecurity professionals.”
MSSPs are Seeing Growth
This is helping to fuel an MSSP market that is expected to grow from $30.6 billion last year to $52.9 billion by 2028, according to research firm MarketsandMarkets. MSSP Alert’s MSSP 250 research this year found that the average revenue for the group increased 18% year-over year.
MarketsandMarkets analysts noted that the expanding attack surface driving by continued growth in the cloud and the increasing number of connected internet of things (IoT) devices are making traditional security methods obsolete and paving the way for MSSPs and their comprehensive solutions and expertise.
Advanced attacks like zero-day exploits and advanced persistence threats (APTs) are further marginalizing such security approaches, they wrote.
MSSPs offers a range of services that can help bridge the security skills gap, according to Gibraltar, including immediate access to cybersecurity expertise, cost efficiencies, customized solutions, and scalability.
Multiple Approaches Needed
That said, MSSPs won’t be the only solution required to addressing such a significant skills shortage, according to Bob O’Donnell, principal analyst with TECHnalysis Research. They’re going to play an important role, but more will be needed.
“It’s clear that organizations are going to have be creative in filling the gap,” O’Donnell told MSSP Alert. “They’re certainly going to have to look at MSSPs as well as other solutions. … It’s going to take a multi-pronged approach to fill a gap so large.”
That includes improving employee education and training. The automation that generative AI is bringing to cybersecurity and IT environments also will help by alleviating some of the burdens that current manual tasks bring, he said.
Respondents in the ESA and ISSA report noted there were several steps their organizations can take to improve the cybersecurity culture, including 25% saying that providing cybersecurity training for IT and software development teams. When asked for ways to improve security programs, 41% said increasing training for cybersecurity and IT professionals, while 35% said increasing security awareness training for non-technical employees.
In addition, 9% said their organizations should outsource more security responsibilities to third-party security services providers, reflecting the multi-solution approach O’Donnell recommended.
