For years, the cybersecurity industry and policymakers have engaged in a seemingly never-ending debate around the root causes of a global workforce crisis in cybersecurity.

In the U.S., businesses and governments have often found themselves competing and poaching from the same talent pool while engaging in a perpetual debate over why, with employers citing a lack of qualified candidates and workers blaming the gap on the lack of opportunities for entry level or newer employees to break into the industry.

Now, a new study from non-profit (ISC)2 drawing on survey responses from more than 11,000 cybersecurity practitioners and decisionmakers offers a more or less decisive answer to the argument: the problem lies mostly with organizations that fail to invest enough into developing their cybersecurity workforce, not a shortage of available talent.   

“This analysis suggests that the most negatively impactful issues are ones that organizations can indeed control: not prioritizing cybersecurity, not sufficiently training staff, and not offering opportunities for growth and promotion. Being able to find qualified talent was actually the least impactful problem based on this analysis,” the report stated.

According to the non-profit, there are roughly 4.7 million cybersecurity workers around the world – an 11 percent increase over the prior year and the highest ever recorded as concerns around cyber attacks, ransomware and digital espionage have become a top focus for governments and the private sector alike.

That figure actually significantly underestimates the level of interest in cybersecurity skills, as hundreds of thousands of jobs around the U.S. remain unfilled and the number of cyber job openings globally (3.4 million) is not much smaller than the cybersecurity workforce itself, while growing at a faster pace.

The end result is that seven out of every ten organizations report being understaffed on cybersecurity, with governments and the insurance, aerospace, education and transportation sectors experiencing the most pain. That shortage has in turn stretched security teams thin and affected their ability to meet their organizational needs, led to slower patching times, fewer training resources and not enough time for security assessments and oversight.

According to the report, organizations without talent were more likely to lean heavily on automating processes, programs that train internal talent, standing up rotating job assignments, creating mentorship programs and conducting outreach to nontraditional groups. However, the most popular initiatives adopted in many industries -- like outsourcing – actually tend to make them more to report impactful shortages.

The urgent need for more cybersecurity workers has been a cause for reflection within an industry that remains largely white and male, with women making up less than a quarter of the workforce and minorities struggling to find viable career pipelines and break into the field. Many women continue to report harassment from male colleague, while studies and anecdotes indicate that female students aren’t encouraged to pursue careers in computer science or STEM fields at nearly the same rates as males.

““I had people tell me that I didn’t look like a hacker, I had people tell me I was only getting on CNN because they wanted a token woman on the show,” Allie Mellen, a senior analyst at Forrester, told SC Media in September. “Those kinds of comments … don’t feel great. It was very common, actually.

Love the work, not the job

While other studies have found that cybersecurity professionals are burning out in the face of a global pandemic, a never-ending deluge of new vulnerabilities and heightened vigilance for digital spillover from the war in Ukraine, (ISC)2’s research suggests that cybersecurity workers still enjoy their craft.

Seventy-five percent of respondents said they were “very satisfied” or “somewhat satisfied” with their work, and those who left their jobs were more likely to do so because they found a higher paying position or got promoted than for burnout, bad work/life balance or an unhealthy workplace culture. Workers were also far more likely to blame organizational issues for their unhappiness with their jobs, while their passion for cybersecurity remained high.

The most significant factor of poor [employee experience] was the failure of organizations to listen to or value employee input. Cybersecurity professionals are passionate about their work, so while overwork is not a positive thing, it is not as negative as feeling like their expertise and knowledge are not being valued or asked for. The data shows this impact is felt particularly with older workers who may feel like their experience has earned them the right to have a voice in the industry and their organizations. When these employees are not listened to, they do not feel valued.

Following a trend that has engulfed many industries, the cybersecurity industry has seen soaring rates of telework in the face of the COVID-19 pandemic, with a majority of the industry (55%) now saying they do their jobs remotely. Over half of remote workers in the industry say they would look for another job if forced to come into the office, and remote work appears to have a beneficial impact on burnout.

“The move to remote work has allowed people to proactively combat feelings of burnout that would otherwise weigh down their day-to-day experiences,” the report noted. “The traditional workday is now broken up with non-work activities in between tasks, such as physical exercise and pursuing hobbies and other passions after work hours.”