Sophisticated cyber security defences are increasingly in high demand as a cyber security attack is now viewed as an inevitability. However, a majority of surveyed organisational leaders fear they are ill-equipped to address these threats head-on.
According to a new cyber security workforce study by ISACA's Cybersecurity Nexus (CSX), only 59% of surveyed organisations say they receive at least five applications for each cyber security opening, and only one3% receive 20 or more. In contrast, studies show most corporate job openings result in 60 to 250 applicants. Compounding the problem, ISACA's State of Cyber Security 2017 found that 37% of respondents say fewer than one in four candidates have the qualifications employers need to keep companies secure.
"Though the field of cyber security is still relatively young, demand continues to skyrocket and will only continue to grow in the coming years," said Christos Dimitriadis, ISACA board chair and group director of Information Security for INTRALOT. "As enterprises invest more resources to protect data, the challenge they face is finding top-flight security practitioners who have the skills needed to do the job. When positions go unfilled, organisations have a higher exposure to potential cyberattacks. It's a race against the clock."
More than one in four companies report that the time to fill priority cyber security and information security positions can be six months or longer. In Europe, almost one-third of cyber security job openings remain unfilled.
Cyber Security Qualifications: A Moving Target
Most job applicants do not have the hands-on experience or the certifications needed to combat today's corporate hackers, ISACA's report found.
"The survey underscores a fundamental disconnect between employer expectations and what candidates can actually bring to the table," said Matt Loeb, ISACA CEO. "Employers are looking for candidates to make up for lost time but that doesn't necessarily mean a significant academic investment. Many organisations place more weight in real-world experience and performance-based certifications and training that require far less time than a full degree programme."
ISACA's report highlighted where hiring managers' expectations are shifting most as they consider candidates for open cyber security positions:
* 55% of respondents report that practical, hands-on experience is the most important cyber security qualification.
* 25% of respondents say today's cyber security candidates are lacking in technical skills.
* four5% of respondents don't believe most applicants understand the business of cyber security.
* 69% of respondents indicate that their organisations typically require a security certification for open positions and most view certifications as equally, if not more, important as formal education.
Closing the Gap
ISACA offers five recommendations to help employers find, assess and retain qualified cyber security talent:
1. Invest in performance-based mechanisms for hiring and retention processes. ISACA's upcoming CSX assessment capability will help employers assess performance level of prospective and current staff members.
2. Create a culture of talent maximisation to retain the staff you have. Even when budgets are tight, there are things that can be done that don't impact the bottom line: alternative work arrangements, investment in personnel growth and technical competency, and job rotation to help round out skills and minimise frustration with repetitive (but necessary) tasks.
3. Groom employees with tangential skills – such as application specialists and network specialists – to move into cyber security positions. They are likely to be highly incentivised to do so and it can help fill the gap in the long term. Having a path in the organisation to do this can be a solid investment, as it can be cheaper to fill those gaps and help support employee morale.
4. Engage with and cultivate students and career changers. An outreach programme to a university or an internship programme can help with this.
5. Automate. Where security operational tasks can be automated, it can decrease the overall burden on staff and thereby help make best use of staff that an organization already has.
ISACA at RSA
Four ISACA leaders will participate in a CISO panel on the findings of this report and the steps organisations need to take. State of Cyber Security: Overcome Workforce Challenges, Build a Skilled Team will take place on Thursday, February 16, at 2:45 p.m. PST. The CISOs will discuss how to reduce the time to find a qualified candidate, which skills candidates most often lack, the best ways to develop skills among an existing team and how to train new team members.
ISACA experts will also be available at booth 306 throughout the conference.
To download a complimentary copy of the workforce report, visit www.isaca.org/state-of-cyber-security-20one7. The second volume of the State of Cyber Security study, featuring threat landscape and security governance data, will be available later this year.