Enterprise Strategy Group (ESG) has been one of several organizations tracking the cybersecurity skills shortage and they have been sounding an alarm for many years. While a few tactical programs have attempted to address this shortfall, ESG views them more as lip service rather than a real solution. Alarmingly, the situation appears to be getting much worse—so much so that ESG and others now believe that the growing cybersecurity skills shortage represents a national security risk.

Demand for trained, experienced cybersecurity professionals far exceeds supply. Lacking a comprehensive cybersecurity education and training strategy, large organizations will continue to battle highly sophisticated and well-organized cyber-adversaries with their own skeleton crew.

More specifically, there is also a growing divide between the ever-growing complexity in our IT environments and the personnel resources to support it. I call it the “Complexity Gap.” The Complexity Gap comes from the overwhelming number of security controls, distributed devices, and worldwide mobile workforce that compound as each variable shifts. The graph below shows how the rise of more controls and devices is dramatically outpacing the staff needed to manage them all.


Consider how labor-intensive it is to see, control, respond to, and secure endpoints. The metrics involve IT and IT security staff, users, devices, and the growing number of controls within those devices. Each of these considerations come together in what can be called, “Device Hygiene Care.” Namely: what must be accounted for to keep devices secure and operating effectively? As the graph illustrates, ensuring that endpoints have sufficient hygiene has become increasingly difficult as device distribution grows and the skills shortage worsens.

In 2000, the value for Device Hygiene Care (C) was 2: IT resources were 2x higher than the level of effort required for device hygiene. In short, IT and IT security teams once had bandwidth: there weren’t too many controls, devices, or data distributed among worldwide users. Today, bandwidth is a thing of the past for nearly all IT and IT security groups. Personnel resources would have to be multiplied 12x (C-12) to have adequate coverage to achieve endpoint hygiene across all devices.

Where does this lead? According to ESG, 63% of IT professionals admit that the staff/skills shortage in their organization has had negative impact to security operations. Additionally, 40% stated that their cybersecurity team is too small and cannot keep up with the work demanded by the business, “the biggest contributor to security incidents.”

The skills shortage and the complexity gap feed on each other, leading to negative outcomes such as data breaches, data integrity and compliance failures, criminal prosecution, limited value from existing tools, and delays to respond to the business’s needs.

When no one is minding the control switches, breaches happen.

To learn the key strategies for building and maintaining a comprehensive ecosystem of management and security controls for all of your endpoints, get our new guide:

Four Essential Strategies for Endpoint Security whitepaper