ESG and ISSA Study Reveals Serious Blind Spot for Cybersecurity Employers

It’s no secret, there’s a shortage in cybersecurity staffing, and organizations are constantly looking for ways to increase the talent pool.

Certainly, we need to get more people interested in starting a career in cybersecurity. But, once they are ‘in’ we need to keep them there. In a seller’s market, this means offering incentives that encourage longevity with the same employer, despite the high pressures of the job and lucrative offers from the competition.

To get a sense of what this full picture looks like – a picture that extends beyond the simple view of “there’s a shortage” – ESG and ISSA conducted a study of 437 cybersecurity professionals. Their findings offer some surprising revelations, to which organizations should pay very close attention.

Here are a few highlights from the report they presented during a recent press review, as delivered by Jon Oltsik, senior principal analyst at ESG, and Candy Alexander, director, ISSA Education Foundation.

Top reasons people get into InfoSec as a career:

  1. People want to make a difference in the battle of good vs. evil we’re witnessing in the IT world. [Technology impacts our freedom, wealth, and way of life. For many, a sense of morality draws them to the field.]
  2. It’s a natural extension from their IT job (78% of professionals interviewed started in IT).
  3. It offers an opportunity to bring a new level of ingenuity to their approach to technology.
For cybersecurity professionals looking to keep up with their cybersecurity skills, face-to-face and experiential programs are very important.
— Jon Oltsik, ESG

Primary ways professionals keep up their cybersecurity skills:

  • 58% attend specific cybersecurity training courses: primarily hands-on courses such as red team exercises, incident response training, and threat hunting.
  • 53% join professional organizations, including participating in birds-of-a-feather and networking events.
  • Many engage with mentors and take part in on-the-job training.
  • Finally, over one-third of the respondents look at getting additional certifications, for which there are many.

Speaking of certifications, the survey found that 55% of the respondents find them useful for developing their cybersecurity skills. What are the certifications they care most about? The CISSP certification topped the chart by a huge margin: 55% claimed it provided them with the knowledge, skills, and ability needed as a cybersecurity professional. In addition to keeping current, 61% claim the CISSP certification is great for getting a job.

For the rest of the certifications, the survey results raise an interesting question: Are we spending our resources appropriately? “Unless there are specific use cases, perhaps not,” suggests Oltsik.

The resulting certification list was a shock to me.
— Candy Alexander, ISSA

“Growing up with the profession, the CISSP was certainly first and foremost in terms of certifications, but it was a jaw-dropping data point to see the others having such little perceived value.”

The point here though isn’t the value of certifications in general, it’s just that they aren’t perceived as being as beneficial as other educational activities for the purpose of keeping a job.


Perhaps a more troubling data point to come out of the survey is that organizations may not be putting enough into their training programs; with this, they will find they continue to end up short staffed, and the cybersecurity employees they are able to hang on to are falling behind in their skills.

According to Oltsik, more than half (56%) of the respondents don’t believe they get enough training and 24% said they need significantly MORE training. This points to a potential issue with job satisfaction. “If they are not satisfied, there will be attrition – people are always job shopping and they are always being courted,” said Oltsik.

Career satisfaction may not be limited to formal IT security training; it appears to extend beyond this form of learning. “We need to mentor cybersecurity professionals with guidance and help them grow their careers or someone else will do it, and there will be a lot of attrition,” added Alexander, pointing to the survey results that show on-the-job mentoring as a key requirement for increasing cybersecurity knowledge, skills, and ability. Mentoring was third on the list at 37%, revealing that formal professional development, though necessary, is not enough.

The courting rate was actually one of the big surprises to come out of the survey. “46% of the respondents said they have been solicited by a recruiter at least once a week,” said Oltsik. The fact there is solicitation taking place was not the surprise – the extent and scope was what caught the two groups’ attention. A lot of movement in this area will introduce a lot challenges to organizations to deal with, with hiring their replacement being just the tip of the iceberg.

“It’s not just about the next widget and hiring more people,” concluded Oltsik. “You need to invest in the people you have.”

If organizations don’t heed the warnings from this survey we could find ourselves in a long-term state of being under-staffed, under-skilled, and under-invested.

To download a full copy of the report, you can visit: or

Sean Martin, CISSP, Editor in Chief