Anyone who has spent any time in the information security/cybersecurity field is aware of the “talent gap,” meaning, there is greater demand for security practitioners than there are practitioners, themselves, to fill those roles. Various media outlets have claimed there will be staggering numbers of unfilled jobs by 20XX—often in the millions—leading to the type of fear, uncertainty, and doubt that plagues our profession on a regular basis. In its State of Cybersecurity Survey 2018, ISACA aims to level set and temper some of the industry FUD.
It’s important to note that when referring to the state of the profession, the terms “talent gap” and “skills shortage” are often used interchangeably. However, there is (or should be) a distinction between not having enough people to fill open roles and not having enough appropriately skilled staff currently employed or in the pipeline of interviewing candidates. Per the ISACA report, both issues are problematic: the industry needs more people, and it needs people who possess appropriate skill sets to handle today’s cybersecurity challenges. According to the survey, 59% of enterprises report that they have open/unfilled security positions.
What’s more, 30% of survey respondents report that “fewer than 25 percent of applicants are qualified” to fill open positions, and only 31% said that “between 25 to 50 percent of applicants are sufficiently qualified.” Though these data look discouraging on paper, 2018 showed slight improvement over 2017 in terms of enterprises receiving applications from what they consider to be qualified candidates.
Unfortunately, these is no measure of “qualified” defined in this report, and more generally speaking, finding “the right skills” for a position can be somewhat subjective. Recruiters and HR professionals may judge a candidate’s or employee’s qualifications by the certifications that person has achieved. Hiring managers, on the contrary, are more likely to evaluate the types of projects and technologies with which an individual has hands-on experience. Peer-level coworkers, for their part, may have yet a different view of what’s required to add to the team’s capabilities.
Still another angle presented by the ISACA report is that it’s possible organizations have shifted expectations over time, based either on what they think job seekers can bring to the table or what those people are expected to do once they land a role on the security team. Some of the shift could be attributed to the fact that machine learning and automation are becoming more integral parts of security operations, altering employee requirements.
Where growth is necessary
While it’s hard to say what “qualified” means without digging into specific security roles, one very clear data point emerged in the 2018 survey: the need for technical security professionals is most pressing. When asked about hiring demand, 77% of companies responded that the organization will need increased numbers of individual contributor, technical security staff. At the individual contributor, nontechnical staff level, only 46% of companies responded that they foresee an increase in staffing needs.
Conversely, when it comes to managers and directors of security, 70% of companies said there is “no change in staff needed,” and for executives and C-suite individuals, that number rises to 76%. It does make sense, of course, that greater growth is expected at “hands-on-keyboards” levels rather than in the management space; one CISO or manager could direct a team of 10, 20, 150 people effectively (depending on the organization and the management style).
That being said, organizations need to consider employee career paths if they expect to retain top workers (and by all measures it is more profitable for organizations to retain good employees than to hire and train new staff), and constantly evaluate what new challenges and opportunities they can present to hard-working, accomplished technical professionals. Without challenges and growth opportunities, the company will experience constant attrition and employee turnover, further contributing to gaps in both the number of staff and the skill set required to adequately manage a cybersecurity organization.
This is not to say that every employee strives to become a manager or executive (for which there is less need—at present, anyway). But thinking long-term, organizations should plan how they intend to develop current and future staff so they’re not continually (metaphorically) chasing their tail when it comes to filling open positions and obtaining employees with suitable skills.
Technological developments and cybersecurity advancements will always provide some level of opportunity for new skills acquisition, but that may not be enough to keep staff engaged and motivated over time. And if we’re filling an increasing number of positions at lower levels but not offering those employees any way to grow or anywhere to go after years on the job, both the talent gap and skills shortage will remain a problem for as long as cybersecurity is a profession.
If you're looking to enhance your leadership skills and learn to align security with business priorities, attend MISTI's Security Leadership Exchange, May 20-22, 2018 in Ponte Vedra Beach, FL.