Organizations are understandably concerned about how difficult and time consuming it is to find quality cyber security talent. While the fundamental causes of this skills crisis will take time and sustained focus to effectively address, there are steps that organizations can take in the short term to better position themselves to deal with their challenges.
In ISACA’s State of Cyber Security 2017 study, 37 percent of respondents say less than one in four applicants are qualified for jobs, while only 59 percent of organizations receive at least five applicants for open cyber security positions. Consider a Glassdoor survey that found most corporate job openings draw 250 applicants, and the scarcity of qualified cyber security professionals becomes all the more striking.
Until the pipeline of qualified applicants can be more adequately filled, organizations will need to be creative, resourceful and resolute in their pursuit of cyber security talent.
That includes placing heavy emphasis on grooming and retaining existing talent through a defined program of training and skills refresh. Investing in professional development and technical upskilling are among the ways to incentivize employees to stay, and job rotations – which round out employees’ skill sets and ward off the frustration that comes with repetitive tasks – can be another effective tactic. These retention efforts are critically important, as allowing cyber security professionals to walk out the door, given how difficult they are to replace, often becomes a crippling setback.
Hiring from within is another approach that is a necessity for many organizations. Given the shortage of qualified cyber security professionals, grooming employees with related skills – such as application developers, data analysts, and network specialists – is a sensible and effective way to fill crucial gaps. Many employees with these tangential skills are interested in learning more about cyber security and applying their skills in new areas, so this approach can be a win-win scenario for professionals and their organizations.
Among the study’s respondents, 55 percent noted practical, hands-on experience as the most important security qualification for cyber security candidates. The ability to demonstrate those capabilities – such as though ISACA’s Cybersecurity Nexus Practitioner (CSXP) certification – provides measureable credibility to employers, but there are additional considerations that should not be overlooked when pursuing cyber security talent.
The cyber security community is relatively small and tight-knit. In a landscape where hiring talented cyber professionals is so difficult, drawing upon industry contacts and personal networks for recommendations can be essential to both find and vet quality candidates. Identifying the right educational backgrounds also should not be discounted, as many hard-to-find skills, such as malware analysis or management of a security program, would benefit from computer science or business degrees, respectively.
The State of Cyber Security Study 2017 shows the immense amount of long-term work ahead, but organizations dealing with urgent cyber security threats now must be proactive and strategic to make the best of a challenging workforce landscape.
Eddie Schwartz, EVP Cyber Services, Dark Matter, LLC, and ISACA Board Director
[ISACA Now Blog]