Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
Cyber security professionals say the top two contributing factors to security incidents at their companies are a lack of adequate training of non-technical employees (31 percent) and a lack of adequate cyber security staff (22 percent), a recent ESG and ISSA survey of 343 cyber security pros found.
And while 70 percent of respondents believe the cyber security skills shortage has had an impact on their organization and 96 percent say keeping their skills up is a key cyber security career requirement, 62 percent say their organization continues to fall behind in providing sufficient training for cyber security employees.
Thirty-one percent of respondents say their organization has a shortage of security analysis and investigations skills, 31 percent say they face a shortage of application security skills, and 29 percent say they have a shortage of cloud computing security skills.
Report author and ESG senior principal analyst Jon Oltsik said in a statement that the cyber security skills shortage represents an existential threat to U.S. national security. "We are not making progress, cyber security professionals can't scale, and the implications of the skills shortage are becoming more pervasive and ominous," he said.
Forty-five percent of respondents have experienced at least one security incident within the past two years, and 91 percent believe most organizations are vulnerable to a significant cyber attack or data breach.
The leading challenge they face, respondents say, is simply that cyber security is understaffed for the size of their organization (29 percent).
Forty-seven percent of respondents say they got into cyber security as a chance to use their skills and curiosity to pursue technical challenges, 37 percent say their cyber security career was a natural progression from an IT position, and 36 percent say they were attracted by the morality of the profession.
Still, 66 percent say they don't have a clearly defined career path or a plan to take their careers to the next level -- and 60 percent say they're somewhat satisfied, not very satisfied, or not at all satisfied with their current position.
Forty-nine percent of respondents say they're solicited for other cyber security positions at least once a week.
Women in the Field
At the same time, a recent Frost & Sullivan survey found that women compromise only 11 percent of the information security workforce, a number that's remained steady since 2013.
A separate Kaspersky Lab survey [PDF] of over 4,000 young people (ages 16 to 21) in the U.S., U.K., France, Germany, Italy, Spain, Israel and the Netherlands found that 78 percent of young women have never even considered a career in cyber security.
Women's leading reasons for not pursuing a career in cyber security include a lack of experience in coding (57 percent), no interest in computing as a career (52 percent), and not being aware of or knowing enough about cyber security careers (45 percent).
Men are far more likely than women to choose math (49 percent vs. 36 percent) and IT (21 percent vs. 7 percent) as their preferred subjects at school -- and in general, just 20 percent of respondents, and 16 percent of women, were clear on what a cyber security expert does.
Cyber security also has a significant image problem. One third of young women think of cyber security professionals as "geeks," and a quarter think of them as "nerds."
"Based on our research, at the moment, young women do not perceive cyber security to be a viable or attractive career option for them, and they are therefore ruling out a career in the IT industry at a young age, making it hard to persuade them otherwise," Kaspersky Lab North America senior vice president of marketing Todd Helmbrecht said in a statement.
"Early education plays a critical role in overcoming entry barriers, but there's also a need to change the industry's image as a whole and promote the careers within," Hemlbrecht added. "An important part of that process is making the roles more visible and enticing, and debunking the stereotype of IT security geeks sitting in a dark room hacking computers."