A man walks through a Microsoft server farm. A dearth of skilled cyber talent is driving burnout. (Amy Sacka for Microsoft)


Security pros continue to have challenges sourcing experienced security talent, with some 73% of respondents to a recent Stott and May-Forgepoint Capital survey saying it’s a major area of concern.

Other leading hurdles include budget (35%), technology (13%), and lack of board-level buy-in (9%). Time-to-hire also ranks high, as 35% point to positions being left unfilled after 12 weeks.

While 80% of security pros say their business perceives the security function as a “strategic priority” – up from 54% last year – 51% worry that cyber investment has not kept pace with the drive towards digital business.

Security industry pros such as Chris Morales, chief information security officer at Netenrich, say the pace of the attacks has caused burnout and frustration at many organizations. Morales said the industry has experienced major hardships for security professionals because of the rise in sophisticated attacks and business demands, citing ransomware, the recent Log4j exploits, and SolarWinds attacks.

Morales said the skills shortage, and thus overload of work on the people tasked with managing it, reflects how manually-intensive and complex the threat detection and response process still are, and how this vigorous time-consuming process limits analysts from being effective in managing risk to enable business growth.

“Even more daunting is that the job of detecting threats is never done, and manual investigation of security events consumes hours of an analyst’s day,” Morales said. “In the end, many security analysts typically feel as though they haven’t contributed to the overall cybersecurity posture of an organization. and thus begin feeling burnout.”

Heather Paunet, senior vice president at Untangle, added that there’s a general lack of awareness of what careers in cybersecurity entail and how important these jobs are to the nation’s economy.

“We need organizational change that recognizes the severity and devastation cyberattacks can cause and why companies should make cybersecurity a priority,” Paunet said. “But companies need to ensure this investment isn’t just in technology, but also in their current workforce with continual training, advancement opportunities, and recognition.

IT education programs also need to “do the profession justice,” emphasizing the different roles and careers available in cybersecurity, she added. Recent high-profile ransomware attacks are an opportunity “to show students how their path could lead to detecting and stopping attacks or even finding cyber criminals."