The shortage of trained professionals with cyber-security skills is acute, worsening and exacerbating the number of data breaches that are taking place.

A report last month by the Information Systems Security Association (ISSA) and the IT analyst firm Enterprise Strategy Group (ESG), shed light on the scope of the problem and offered guidelines to businesses for easing the skill crunch. This was the second year in a row that the two organizations have partnered to conduct the study, and the results depict a widespread business problem that is becoming more severe.

Nearly three-fourths of the respondents (70%) of the ISSA and ESG survey respondents indicate that the shortage of people with cyber-security skills has had an impact on their organization. Yet 62% of them also concede that they are falling behind in providing an adequate level of training for their data security personnel. And that figure is up almost 10% percent from last year’s study.

Nearly half (45%) of the 343 data security professionals surveyed say their organization experienced at least one security event during the past two years, and 91% believe that they are vulnerable to a significant cyber attack or data breach. Among the top contributing factors, 31% blame a lack of security training for non-technical employees; 22% point to the shortage of data security professionals, and 20% find fault with their managements for making cybersecurity a low priority.

Among the array of security-related skill shortages, the respondents identified data security analysis (31%), application security (31%) and cloud computing security (29%) as the most acute.

“The cyber-security skills shortage represents an existential threat to our national security, and this year-over-year comparison data bears out this fact,” says Jon Oltsik, an ESG analyst and the report’s author. “We are not making progress, cyber-security professionals can’t scale, and the implications of the skills shortage are becoming more pervasive and ominous. It is clear that the solution must be about more than filling jobs,” he adds. “It is about creating an environment from the top down of cybersecurity as a priority.”

In the report, Oltsik also identifies the five most important investment mistakes that businesses make with regards to cybersecurity and suggests remedies based on the study:

1. Failing to align cybersecurity and business goals: To correct this, 43% of the survey respondents suggest establishing security-related goals and metrics for IT and business managers.

2. Failing to create repeatable processes: Poorly defined manual and informal processes create security risks. To rectify this, 41% of the respondents suggest formalizing and documenting all processes with data security implications.

3. Failing to invest in personnel training: Although companies are increasing their spending on data security technology, the respondents suggest that they still need to invest more in security-related training and education for all personnel, at all levels of the organization.

4. Failing to provide the right training: To develop data security skills, three-fourths of the respondents favor investing in training courses and professional development organizations over security certifications. They also suggest employing “just-in-time” online training with a focus on specific skills, such as application and cloud security.

5. Failing to plan for an on-going skill shortage: With no end in sight to the skill deficit, the respondents suggest that companies develop aggressive programs for recruiting data security talent from a variety of disciplines, including IT ops, network engineers and business analysts.