Blog

Some Cyber Roles are Overstaffed While Others Are Understaffed

Nov 14, 2019

Cybersecurity Workforce Study_Spread As organizations struggle to staff their cybersecurity teams, new (ISC)2 research reveals they also may be suffering from an imbalance in the distribution of team member roles. Positions that currently appear overstaffed include compliance, forensics and operational technology security while jobs in security operations, security administration and risk management seem to be understaffed.

This creates a need for CISOs and cybersecurity managers to take a close look at their teams and figure out what adjustments to make. Keeping too many people in certain roles while understaffing other positions potentially makes it harder for an organization to build and maintain effective defenses against cyber attacks.

Such an imbalance, in addition to a worldwide skills shortage of about 4 million cybersecurity professionals, could lead to security gaps that cybercriminals may exploit to deliver attacks. Both the imbalance and skills shortage are among the findings of (ISC)2’s Cybersecurity Workforce Study 2019 , which polled more than 3,000 cyber and IT professionals.

The study estimates the current cybersecurity workforce in the United States and 10 other world economies at 2.8 million – about 4 million short of what it needs to be. Filling the gap would require a 145% increase in cybersecurity workers.

Size and Regional Differences

As cybersecurity has evolved into its own discipline with responsibilities distinct from general IT, it has spawned a long and varied list of professional roles, including CISO, security architects, engineers, analysts and developers. As with any other business areas, striking the right balance in these roles is important to achieve the best possible results.

The Workforce Study suggests that overstaffing and understaffing in cybersecurity roles varies by company size and region, though of course not every company is the same. There are some regional differences in how organizations prioritize roles, with greater emphasis on general security operations in North America and on forensics in Europe.

Overall, smaller companies (1 to 99 employees) appear to place more emphasis on generalized roles such as security operations and administration while larger companies (500 or more employees) have more specialized roles such as penetration testing and forensics.

Lengthy Tenure

Despite uneven role distribution, cybersecurity professionals by and large tend to have a fair amount of experience and tenure in their organizations. On average, participants have spent nine years in IT, six years at their current employers and five in a cybersecurity role. The average cyber professional holds four security organization certifications and three security organization memberships.

So it’s clear that experience has been building in cybersecurity teams, but teams would likely benefit from a better distribution of roles — something CISOs and IT directors may want to address. A well-balanced team is more likely to put the right controls and policies in place to prevent cyber attacks.