How to close the cybersecurity skills gap? Here’s a novel idea: pay security professionals better.

This simple fix could help address a decade-old problem, according to this year’s The Life and Times of Cybersecurity Professionals report, which found 38% of respondents believe that lack of competitive compensation is the No. 1 reason for the skills shortage.

Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) conducted research for their fifth annual report earlier this year. It’s based on data from a global survey of 489 cybersecurity professionals.

And similar to previous years, the 2021 Life and Times survey finds virtually no progress toward solving the skills crisis, which ESG and ISSA report has hurt 57% of organizations. The top ramifications of this include an increasing workload (62%), unfilled open job requisitions (38%), and high burnout among staff (38%).

Additionally, almost all (95%) of respondents agreed that the cybersecurity skills shortage has not improved over the past few years, and 44% say it has gotten worse.

This year, ESG and ISSA started the research process with a focus group made up of a handful of cybersecurity professionals across levels of experience, from entry level to CISO. Both in the small group and the larger survey, the authors wanted to focus not just on problems plaguing the industry, but also on solutions, said Jon Oltsik, ESG senior principal analyst and fellow.

“And when we asked specifically about the cybersecurity skill shortage, [compensation] came up in a couple of different responses. People aren’t being paid competitive rates,” he said, adding that this also contributes to problems that companies face in hiring and retaining skilled security professionals.

In fact, more than three-quarters (76%) of respondents said that it is difficult to recruit and hire security staff, while 18% said it is extremely difficult. Additionally, higher pay is the top reason (33%) that CISOs leave their company for a new one.

ISSA International President and NeuEon CISO Candy Alexander, who has worked in cybersecurity for 30 years, said low compensation “absolutely” rings true. “When we look at comparisons” to other IT professionals, “the question is always: Are we valued and paid as much as they are,” she said.

And while other recent reports have forecast increased cybersecurity spending as a result of the COVID-19 pandemic, Alexander said this doesn’t necessarily mean better pay for security professionals. “I’m seeing more focus on technology” and product spending, she added.

“It all comes down to value,” Alexander continued. “What is the value we’re placing on cybersecurity professionals, their role, and contributions in the organization? When you value something or somebody, you’re willing to pay more for it. When we look at the value question and the investment question, we should ask organizations where do they put their investment? Is it in tools and technology, or is it in staffing?”

The joint research with ESG indicates that companies aren’t investing in their people. “And that’s the problem,” she said. “So then that leads to the question: why? And this is an underlying theme throughout the whole research data: Does the business fully understand the role of a cybersecurity professional and the contributions they make within the organization?”

ESG and ISSA recommend a holistic fix for the skills shortage that includes continuous cybersecurity education, career development, and advancement opportunities, and better integration of cybersecurity into the business. This also means including security as part of planning and strategy processes with the executive management and the board of directors.

In addition to a skills gap, this year’s report also identified a cybersecurity training gap with 99% of respondents either strongly agreeing or agreeing that professionals need to be continually learning and keeping up their skill set or else they put their organizations at risk against potential attackers. However, 82% strongly agree or agree that while they try to keep up and learn new skills, job requirements get in the way.

While many professionals want to achieve at least 40 hours of training each year, 21% said they did not hit the 40-hour mark, and the top reason (48%) is that they can’t afford to pay for the training and certifications themselves.

And when asked what organizations could do to address the skills shortage, the biggest response (38%) was to increase cybersecurity training.

“We really want organizations to invest in us, but if your organization doesn’t, don't stop, don’t be a victim, go out and invest in yourself,” Alexander said. “Go get that training.”

However, even among organizations that do pay for training, cybersecurity professionals’ existing workload and related stress that prevents them from learning new skills points to companies’ “not recognizing the value of that training, and making sure that their people take that training,” Oltsik added. “And as a result, there’s the skills gap that just keeps growing.”

Addressing both the cybersecurity skills and training gap requires all levels and lines of business to improve relationships with the security team. And, as with most business decisions and workplace cultures, this starts at the top. CISOs must lobby HR and finance for competitive salaries and security training budgets, the report says.

“I often equate that to the medical field,” Alexander said. “Do you really want to go to a doctor who hasn’t had any update or refresh in his training or skills in a number of years? Probably not. We need to look at the importance of training, because we’re the defenders of the environment.”

Additionally, the survey asked respondents to offer advice for entry-level security professionals. “The reason we did that is because there’s another Catch 22 in that, even though there’s a skill shortage and a shortage of qualified people, entry-level people a lot of times struggled to get their first job,” Oltsik said.

The top piece of advice (49%) was to get a basic cybersecurity certification, followed by join a professional industry organization (42%), and find a mentor (36%). Additionally, 29% recommend specializing in a particular cybersecurity area. “The three top areas for skills deficiencies were cloud security, security analytics, and application security,” Oltsik said. “So, if you want to escalate your career, then you should look for training in one of those areas because it could have a lucrative outcome.”