SAN FRANCISCO -- Even though the national unemployment rate has been below 5 percent for more than a year, there are still millions of people looking for new jobs across the United States, population 321 million.
If only a fraction of them were trained and certified as security admins, architects or developers, that number would go way, way down. This sector of IT is crying out for qualified employees, and the pay rates are pretty darn good, too.
At this year's RSA Conference, being held at the Moscone Center through Feb. 17, the ISACA industry coalition is focusing on how to address the growing skills gap, because demand for qualified cyber security professionals continues to outstrip supply. (ISACA, previously known as the Information Systems Audit and Control Association, now goes by its acronym only.)
According to a new cyber security workforce study by ISACA's Cybersecurity Nexus, only 59 percent of surveyed organizations say they receive at least five applications for each cyber security opening, and only 13 percent receive 20 or more. In contrast, studies show most corporate job openings result in 60 to 250 applicants.
[To see a larger view of the image, right-click on it and select "View Image."]
Few Candidates Have the Right Credentials
Compounding the problem, ISACA's State of Cybersecurity 2017 found that 37 percent of respondents say fewer than 25 percent of candidates have the qualifications employers need to keep companies secure.
"Cybersecurity jobs continue to be extremely hard to fill," Eddie Schwartz, Executive Vice President of Cyber Services at Abu Dhabi-based Darkmatter and board member of ISACA, told eWEEK. "Over time, I think we will see increasing interest in this--people with computer science or IT degrees who choose to go into cyber--but that wave of people who choose to go into cyber as opposed to 'com sci' or IT is going to take a while to catch up in the U.S. and in other countries.
"What we're seeing in general that respondents (to the study) are saying that 32 percent of enterprises are taking six months or more to fill these open security jobs. Not having security is basically like leaving your door open. Imagine leaving your door open or security alarm off for six months because you can't fill a security position."
More than 25 percent of companies report that the time to fill priority cyber security and information security positions can be six months or longer. In Europe, almost one-third of cyber security job openings remain unfilled, ISACA said.
Cyber Security Qualifications: A Moving Target
Most job applicants do not have the hands-on experience or the certifications needed to combat today's corporate hackers, ISACA's report found.
"The survey underscores a fundamental disconnect between employer expectations and what candidates can actually bring to the table," said Matt Loeb, ISACA CEO. "Employers are looking for candidates to make up for lost time but that doesn't necessarily mean a significant academic investment. Many organizations place more weight in real-world experience and performance-based certifications and training that require far less time than a full degree program."
ISACA's report highlighted where hiring managers' expectations are shifting most as they consider candidates for open cyber-security positions:
--55 percent of respondents report that practical, hands-on experience is the most important cyber security qualification.
--25 percent of respondents say today's cyber security candidates are lacking in technical skills.
--45 percent of respondents don't believe most applicants understand the business of cyber security.
--69 percent of respondents indicated that their organizations typically require a security certification for open positions and most view certifications as equally, if not more, important as formal education.
ISACA's Recommendations to Employers
ISACA offers five recommendations to help employers find, assess and retain qualified cyber security talent:
1. Invest in performance-based mechanisms for hiring and retention processes. ISACA's upcoming CSX assessment capability will help employers assess performance level of prospective and current staff members.
2. Create a culture of talent maximization to retain the staff you have. Even when budgets are tight, there are things that can be done that don't impact the bottom line: alternative work arrangements, investment in personnel growth and technical competency, and job rotation to help round out skills and minimize frustration with repetitive (but necessary) tasks.
3. Groom employees with tangential skills—such as application specialists and network specialists—to move into cyber security positions. They are likely to be highly incented to do so and it can help fill the gap in the long term. Having a path in the organization to do this can be a solid investment, as it can be cheaper to fill those gaps and help support employee morale.
4. Engage with and cultivate students and career changers. An outreach program to a university or an internship program can help with this.
5. Automate. Where security operational tasks can be automated, it can decrease the overall burden on staff and thereby help make best use of staff that an organization already has.
ISACA at RSA Conference
Four ISACA leaders will participate in a CISO panel on the findings of this report and the steps organizations need to take. State of Cybersecurity: Overcome Workforce Challenges, Build a Skilled Team will take place on Thursday, Feb. 16, at 2:45 p.m. PST. The CISOs will discuss how to reduce the time to find a qualified candidate, which skills candidates most often lack, the best ways to develop skills among an existing team and how to train new team members.
ISACA experts will also be available at booth 306 throughout the conference.
To download a complimentary copy of the workforce report, go here. The second volume of the State of Cybersecurity study, featuring threat landscape and security governance data, will be available later this year.