Cybersecurity professionals have been in crisis mode for 10 years. That’s because as a profession, these tech pros don’t have a big picture view of their profession or careers. That’s according to a recent cooperative research project from Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA).

The Life and Times of Cybersecurity Professionals 2020 report is the fourth annual research project to focus on the lives and experiences of cybersecurity professionals. The report gathered information from 343 cybersecurity professionals who work in organizations of all sizes, across industries and geographies.

The comprehensive survey focuses on cybersecurity careers, skills development, cybersecurity organizational considerations, security incidents and vulnerabilities, the cybersecurity skills shortage, and cybersecurity activities.

“As this and past reports clearly indicate, organizations and cybersecurity professionals are not looking at the profession strategically. There is a continuous lack of training, career development and long-term planning. As a result, cybersecurity professionals often muddle through their careers with little direction, jumping from job to job and enhancing their skill sets on the fly rather than in any systematic way. This, combined with the continued cybersecurity skills shortage, has stalled cybersecurity progress,” writes Jon Oltsik, senior principal analyst and fellow at ESG.

The News Is Dire

That’s dire news, indeed.

In fact, the cybersecurity skills shortage is getting worse. Seventy percent of organizations are negatively impacted by this crisis, according to the ISSA members and survey takers for the report.

There isn’t a silver bullet that will solve the cybersecurity skills gap. Rather, multiple issues contribute to the problem and have for a number of years. Report researchers cite those factors as: lack of understanding the role of information security at businesses; no clear and agreed upon career map within the profession; and the constant stress security pros face in attempting to improve collaboration efforts with IT.

“Cybersecurity will only exhibit a positive change through a more holistic approach,” according to report authors.

This year’s report includes a number of new questions. For example, respondents rated several constituencies in terms of their ability to keep up with cybersecurity challenges. Most respondents believe that government and schools are not keeping up with cybersecurity challenges. Almost all respondents said that government agencies should be doing somewhat or a lot more to address cybersecurity challenges. Eighty-four percent of respondents believe that public schools/institutions should be doing somewhat or a lot more to address cybersecurity challenges. This data reflects an age-old cybersecurity belief — cybersecurity is most effective when it is baked in, rather than bolted on, to any discipline or culture, according to the report.

The Bad Guys Are Winning

Another question new to this year’s research asks how long it takes to become a proficient cybersecurity professional. Thirty-nine percent of respondents said three to five years; 22% said two to three years, and 18% said more than five years.

For the second year in a row, survey respondents were asked to compare the status of cyber adversaries over cyber defenders. The answer was discouraging.

This year, two in three (67%) believe adversaries have an advantage over defenders. That number is up from less than three in five (59%) in last year’s research.