Cybersecurity Skills Crisis Continues for Fifth Year, Perpetuated by Lack of Business Investment

Annual global study from ESG and ISSA reveals not offering competitive compensation as the top factor contributing to the skills shortage for respondents’ organizations

VIENNA, Va.–(BUSINESS WIRE)–#CISOs–The cybersecurity skills crisis continues on a downward, multi-year trend of bad to worse and has impacted more than half (57%) of organizations, as revealed today in the fifth annual global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG). This annual study seeks to understand the perspectives of the people on the information security career path to help others understand the challenges of this important field.


The new research report, The Life and Times of Cybersecurity Professionals 2021, surveyed 489 cybersecurity professionals and reveals several nuances surrounding the well-documented cybersecurity skills shortage. The top ramifications of the skills shortage include an increasing workload for the cybersecurity team (62%), unfilled open job requisitions (38%), and high burnout among staff (38%). Further, 95% of respondents state the cybersecurity skills shortage and its associated impacts have not improved over the past few years and 44% say it has only gotten worse.

Notably, the three most-often cited areas of significant cybersecurity skills shortages include cloud computing security, security analysis and investigations, and application security. These areas should be the focus for cybersecurity professionals when looking to develop skills.

The cybersecurity profession remains systemically undervalued

Businesses are not investing in their people in a manner that appropriately reflects the direness of today’s cyberthreat landscape. A striking 59% of respondents said their organization could be doing more to address the cybersecurity skills shortage, with nearly one-third noting that their organization could be doing much more.

  • Cybersecurity professionals need fair and competitive compensation. This came up several times in the research report and is clearly critical to hiring and retaining security personnel. In a new finding this year, not offering competitive compensation is the top factor (38%) contributing to the organizations’ cyber skills shortage because it makes it difficult to recruit and hire the cybersecurity professionals that organizations need. More than three-quarters (76%) of organizations admit that it is difficult to recruit and hire cybersecurity staff, with nearly one-fifth (18%) stating it is extremely difficult. Being offered a higher compensation package is the main reason (33%) CISOs leave one organization for another.
  • Investments in cybersecurity training need to be funded appropriately. When asked what actions organizations could take to address the cybersecurity skills shortage, the biggest response (39%) was an increase in cybersecurity training so candidates can be properly trained for their roles. To maintain and advance their skill sets, many cybersecurity professionals seek to achieve at least 40 hours of training each year. Nearly a quarter (21%) of those surveyed did not meet 40 hours of training per year. The main reason they cited was that their jobs do not pay for 40 hours of training per year and they can’t afford it by themselves, according to nearly half (48%) of respondents.
  • The cybersecurity training paradox continues and needs attention. Nearly all (91%) respondents agree that cybersecurity professionals must keep up with their skills or the organizations they work for are at a significant disadvantage against today’s cyber-adversaries. Despite this need, 59% state that while they try to keep up with cybersecurity skills development, job requirements often get in the way—the paradox that professionals face where they are called upon to make up for the existing skills shortage in addition to falling behind on their own development.
  • Human resources and cybersecurity teams need to align on business value. Nearly one in three (29%) professionals surveyed said the HR departments at their organizations likely exclude strong job candidates because they don’t understand the skills necessary to work in cybersecurity. One in four also said job postings at their organizations tend to be unrealistic, demanding too much experience, too many certifications, or too many specific technical skills. Nearly a third (30%) suggested CISOs try to better educate HR and recruiters on real-world cybersecurity goals and needs and 28% said job recruitments need to be more realistic with the typical levels of experience cybersecurity professionals have.
  • Business and cyber leaders need to work together to improve organizational dynamics. Business executives must embrace cybersecurity as a core component of the business while CISOs need to move their people, processes, and technologies closer to the business. Organizations should be alarmed by the fact that:

    • 29% of respondents said the security team’s relationship with HR is fair or poor.
    • 28% said the relationship with line-of-business managers is fair or poor.
    • 27% of respondents said that the relationship with the board of directors is fair or poor.
    • 24% said the relationship with the legal team is fair or poor.

“There is a lack of understanding between the cyber professional side and the business side of organizations that is exacerbating the cyber skills gap problem,” said Candy Alexander, Board President, ISSA International. “Both sides need to re-evaluate the cybersecurity efforts to align with the organization’s business goals to provide the value that a strong cybersecurity program brings towards achieving the goals of keeping the business running. Cybersecurity leaders should be able to link the security efforts directly to strategic business goals.”

“This report reveals some deep-seated issues with cybersecurity professionals and their organizations,” said Jon Oltsik, Senior Principal Analyst and ESG Fellow. “ESG and ISSA hope that cybersecurity professionals use this research to better understand their profession and peers as they manage their careers. For business and cybersecurity professionals, the data should be seen as a set of guidelines for maximizing cybersecurity investment, improving cybersecurity job satisfaction, and aligning cybersecurity with the business mission. The message is clear: Organizations with a cybersecurity culture are in the best position.”

After reviewing this data, ESG and ISSA recommend that cybersecurity professionals take a holistic approach of continuous cybersecurity education (starting early with public education), comprehensive career development, and career mapping/planning—all with the support and integration with the business.

The full report can be downloaded here.

About ISSA

The Information Systems Security Association (ISSA)™ is the community of choice for international cyber security professionals dedicated to advancing individual growth, managing technology risk, and protecting critical information and infrastructure. ISSA members and award winners include many of the industry’s notable luminaries and represent a broad range of industries – from communications, education, healthcare, manufacturing, financial and consulting to IT – as well as federal, state and local government departments and agencies. Through regional chapter meetings, conferences, networking events and content, members tap into a wealth of shared knowledge and expertise. Follow us on Twitter at @ISSAINTL. Learn more about ISSA.

About ESG

Enterprise Strategy Group (ESG) is an integrated technology analysis, research, and strategy firm providing market intelligence, actionable insight, and go-to-market content services to the global technology community. It is increasingly recognized as one of the world’s leading analyst firms in helping technology vendors make strategic decisions across their go-to-market programs through factual, peer-based research. ESG is a division of TechTarget, Inc. (Nasdaq: TTGT), the global leader in purchase intent-driven marketing and sales services focused on delivering business impact for enterprise technology companies.


Leslie Kesselring

Kesselring Communications

Rushing Recruitment Can Be a False Economy, Firms Warned

Pre-hire tests and assessments can help identify if new hires will fit in

Questionmark PrimaryLogo

NEW YORK–(BUSINESS WIRE)–#Questionmark–Businesses are ramping up recruitment to secure the people they need with the right modern skills for the post-pandemic economy. But “recruitment in a rush” could store up problems for the future, warns Questionmark, the online assessment provider.

United States (US) employers created 850,000 jobs in June alone.1 Half of United Kingdom (UK) firms are planning to hire.2 Yet 87% of employers are facing a gap between the skills they need and those available to them in the workforce.3 So, recruitment is the answer to bring vital new skills into the business.

The new Questionmark report, “Skills, Culture, Vocation: Finding the Right Recruits” urges employers to ensure the “person-organization” fit of new hires. If a new team member does not share their employer’s goals and values, it can place culture and productivity at risk.

Staff members that feel a sense of belonging are six times more engaged than those that don’t.4 And a clash of culture is one of the main reasons that people part company with their employer.5

John Kleeman, Founder of Questionmark, said: “Hiring quickly can prove a false economy. If a new starter is not the right fit for the organization, they probably won’t last long. Replacing an employee costs about a third of their salary. Employers must get recruitment right.”

Measuring the skills, attitudes and values of someone before hiring them can help employers check they have the right person-organization fit. Skills assessments can show whether they have what it takes to do the job. Measuring their attitudes and values will indicate whether they are likely to be a good fit for culture.

Questionmark provides a range of ready-made assessments to test business skills such as data literacy, digital marketing and customer care.

Questionmark Thinking Skills Assessment by Cambridge Assessment enables employers to measure the critical-thinking and problem-solving skills of job applicants. This can indicate how likely a potential recruit is to progress within an organization.

Read the full report: “Skills, Culture, Vocation: Finding the Right Recruits”.

Notes to editors

About Questionmark

Questionmark unlocks performance through reliable and secure online assessments.

Questionmark provides a secure enterprise-grade assessment platform and professional services to leading organizations around the world, delivered with care and unequalled expertise. Its full-service online assessment tool and professional services help customers to improve their performance and meet their compliance requirements. Questionmark enables organizations to unlock their potential by delivering assessments which are valid, reliable, fair and defensible.

Questionmark offers secure powerful integration with other LMS, LRS and proctoring services making it easy to bring everything together in one place. Questionmark’s cloud-based assessment management platform offers rapid deployment, scalability for high-volume test delivery, 24/7 support, and the peace-of-mind of secure, audited U.S., Australian and European-based data centers.



US: Kristin Bernor, external relations: +1 203.349.6438

UK: James Boyd-Wallis: +44 7793 021 607

Australia and New Zealand: Chelsea Dowd: +61 2 8073 0527