Evidence of the cybersecurity shortage continues to roll in: 55% of organizations reported that open cyber positions take at least three months to fill, while 32% said they take six months or more. And, 27% of US companies said they are unable to fill cybersecurity positions at all, according to a report from the nonprofit ISACA, released Monday.
ISACA surveyed 633 managers and practitioners whose primary job function is cybersecurity or information.
The primary problem stems from a lack of qualified applications, the report stated. “We found that there continues to be this fundamental disconnect between what employers are looking for in terms of cybersecurity skills and what candidates are actually bringing to the table,” Rob Clyde, a member of the ISACA board of directors, told TechRepublic.
Most corporate job openings on Glassdoor get 250 applicants, Clyde said. But, for cybersecurity positions, 59% of businesses said they received only five applications. And 41% said they received fewer than five applicantions.
Of those that do apply for these positions, 37% of companies said fewer than one in four candidates are qualified. Some 55% of enterprises ranked hands-on experience as the most important applicant attribute, followed by references (13%), certifications (12%), formal education (10%), and specific training (9%).
“They really valued training as well as having hands-on experience,” Clyde said. “Getting to learn things firsthand was really crucial, because of how technical and fast moving it is.” Nearly 70% of respondents said their enterprises typically require a security certification for open positions, the report stated.
Anecdotally, companies are looking for people who can deal with more sophisticated attacks such as zero day, ransomware, and spear phishing, Clyde said.
Some 45% of enterprises also said they don’t believe that job applicants understand the business of cyber, the report found. “One of the skills to learn is to really understand the business, and how cyber relates to the business,” Clyde said. “Don’t just use fear and talking about how bad things can happen, but say ‘We’ve looked at the risk, this is where the biggest issues are, here is the first priority we are going to address.’ Put it in business terms they can understand.”
At the chief security officer level, which companies are also struggling to hire for, it’s imperative to have strong communication skills, Clyde said.
ISACA offers the following four tips for finding, assessing, and retaining qualified cybersecurity professionals:
1. Create a culture of talent maximization to retain the staff you have.
“Don’t lose the ones you already have,” Clyde said. If budgets are tight and cuts need to be made, Clyde recommends choosing a category where you know you will get more applicants for the position later.
2. Groom employees with tangential skills to move into cyber security positions.
“Being a cyber practitioner is a technical position, and there are many excellent applications, IT, and network specialists who may be able to move into a cybersecurity position,” Clyde said. “Most of the time people are attracted to cyber, and may be interested in making a lateral move, which may help fill the gap.”
A number of people, especially women, have followed this path to becoming “accidental” cybersecurity professionals, I recently reported.
3. Engage with and cultivate students and career changers.
An outreach program at a university or an internship program can lead to valuable connections, Clyde said. Companies and universities should also encourage more women to enter the field, Clyde said, as women make up only 11% of the world’s information security professionals.
As AI and machine learning technology continues to progress, some security operational tasks can be automated, decreasing the overall burden on staff, Clyde said.
Before undergoing a cybersecurity staff search, CXOs must understand that it will not be easy, Clyde said. “You may have to think outside the box, recruit in a wider geographic area, or recruit for tangential skills and do training,” he said.