Understaffing in cybersecurity — the “skills gap” — is driving up the cost of data breaches in recent years, according to a decade of reports by IBM.

The 2024 IBM Data Breach Report found that more than half of breached organizations experienced severe security staffing shortages, a 26.2% increase from the previous year. They found this through a statistical analysis of the data gathered from in-depth interviews of more than 600 organizations that suffered data breaches in the prior year.

The 2024 report makes the link between staffing shortages and cybersecurity clear:

“As we’ve seen across the industry, cybersecurity teams are consistently understaffed. This year’s study found more than half of breached organizations faced severe security staffing shortages, a skills gap that increased by double digits from the previous year. This need for trained security staff is growing as the threat landscape widens. The continuing race to adopt gen AI across nearly every function in the organization is expected to bring with it unprecedented risks and put even more pressure on these cybersecurity teams.”

The Cost of a Data Breach Report 2022 found a direct link between staffing shortages and higher data breach costs. Organizations with insufficiently staffed security teams faced an average breach cost of $4.56 million ($550,000 higher than those with sufficient staffing).

Similarly, the 2024 report revealed that the growing skills gap contributed to a $1.76 million increase in average breach costs.

The cybersecurity skills gap is just one piece of the puzzle

Other factors contribute to both the shortages and the rising cost of data breaches. One is the ever-expanding attack surface. The latest report highlights the rapid adoption of new technologies, such as generative AI, contributing to the widening skills gap. According to the 2024 report, “The continuing race to adopt gen AI across nearly every function in the organization is expected to bring unprecedented risks and put even more pressure on these cybersecurity teams.”

Organizations embrace new technologies, and the complexity of cybersecurity grows. New technologies often require expertise and specialization. So, one contributing factor to the skills gap is that new technologies require new skills faster than the development of professionals who possess those skills.

The Cost of a Data Breach Report 2022 also points out that rising incidents, combined with the pandemic-related shift to remote work, intensified workloads, stress and pressure, leading to burnout and contributing to the skills shortage.

Security staffing shortages are a problem that expands over time, according to Sam Hector,
Senior Strategy Leader, IBM Security. When you lack the right cybersecurity expertise, three things happen, he said:

1. “The time to triage alerts grows as the queue of incidents to review becomes longer, meaning you’re more likely to be breached. Attackers’ dwell times increase (when they are in your environment undetected) as you’re less likely to find the needle in the haystack. The increasing time to detect directly leads to higher breach costs on average.”
2. “Teams that are stretched too thin don’t have the time to devote to improving cybersecurity processes, integration and efficiency. They’re unable to drill exercises and embark on further training as they’re too focused on keeping the lights on. This means over time, they’re less effective compared to the threat landscape, and misconfigurations and gaps develop that attackers can exploit.”
3. “If there’s a specific industry, region or even organization that is known to be struggling to acquire cybersecurity skills, this puts them at increased risk of being targeted by attackers that will be anticipating weaker defenses.”

Meanwhile, he said, “IT needs to continue to grow larger and more advanced, as new technologies like Generative AI and Hybrid Cloud environments expand the attack surface, increasing the complexity and scope of systems that need protection, putting additional strain on security teams.”

What to do about the skills shortage

Recent IBM Cost of a Data Breach reports recommend specific approaches to help organizations address the skills shortage in cybersecurity. Here are the major recommendations:

Managed security services: Employing managed security services could help. Outsourcing specific security functions to specialized providers could alleviate some pressure on internal teams and provide access to skills and knowledge that might be unavailable in-house.

Simpler environments: Remove complexity wherever possible. While this can be difficult while understaffed, it does pay dividends in the long run. Such simplification saved, on average, $1.64 million, according to the 2024 report.

Training and development: Conduct assessments to identify areas where employees need improvement. Investing in targeted training can bring missing skills in-house and develop cybersecurity skills internally. Provide access to cybersecurity training programs, workshops and courses. Offer financial incentives or reimbursement for employees pursuing relevant certifications. Create clear career paths for employees interested in cybersecurity roles. Foster a culture of knowledge sharing and mentorship within the organization. Organizations can transform them into cybersecurity experts already familiar with the company’s infrastructure by upskilling and reskilling existing IT staff. Retaining and training staff reduced costs by $259,000  on average, according to the 2024 report.

Pay and benefits: Competitive compensation and benefits packages can help your organization outcompete others to hire the best people. Implement employee referral programs. Recruit from non-traditional backgrounds. Also, focus on retaining your qualified staff by fostering a respectful and collaborative work environment.

Finding talent in academia: Foster and maintain strong links with local universities through collaborating on course materials and delivery, offering placements and developing a well-advertised graduate entry route into your organization.

Prioritization: Adopt a risk-based prioritization of all security tasks by focusing limited resources on the highest-risk areas, like the most sensitive data, the critical infrastructure for business resilience and the highest impact attack vectors.

Stronger identity: Strengthen identity security. The most common and impactful attack vectors were primarily focused on this route, according to the 2024 report, with stolen and compromised credentials representing the most common breach cause, with phishing following closely behind.

AI and automation help close the gap

Security automation, driven by AI and machine learning, can improve efficiency and partially offset the impact of staffing shortages.

AI can automate repetitive tasks like data mining connected data sources, threat intelligence feeds, and other open source intelligence in order to perform much of the work a tier 1 analyst would normally undertake manually, according to Hector. “It’s also enabling teams to detect threats faster by using machine learning to analyze vast amounts of data, like network traffic or user behavior, to spot patterns that may indicate risk.”

With generative AI tools, staff with less experience can gain insights and recommendations that enable them to make better decisions, according to Hector. AI is also enabling better management of complex security environments by identifying misconfigurations and vulnerabilities and either remediating them automatically or recommending how to do so.

“This has resulted in those with extensive use of AI realizing average breach cost savings of $1.9 million, and those using AI extensively in prevention workflows specifically were able to save $2.2 million in breach costs on average,” Hector said.

Security teams can focus on more complex threats and incident response activities by automating routine tasks and deploying Security Information and Event Management (SIEM) systems to centralize security monitoring.