As the demand for cybersecurity professionals continues to rise against the backdrop of a job candidate shortage, employers say only half of applicants (or fewer) actually meet the qualifications.
The new data from industry association ISACA also shows that finding and hiring qualified cybersecurity pros takes longer now: 32% of organizations say filling a position takes six months, up from 26% last year, and more than 60% of organizations say positions sit vacant for at least three months, up from 55% last year.
This steadily widening cybersecurity talent gap has forced organizations to consider nontraditional methods of hiring, retention, and training their workforce. The biggest deficit of talent they need to hire is on the technical side, a trend highlighted by both ISACA's study and one from Tripwire, both released last week at the RSA Conference in San Francisco.
"There's a drought of technical people, and it's been compounding over the years," says Frank Downs, director of ISACA's cybersecurity practice. "There aren't enough cybersecurity pros, period, and there really aren't enough technical cybersecurity professionals ... we need people who can sit down and perform" the technical tasks, he says.
Among the high-demand positions: security engineer, SOC analyst, penetration tester, and cloud security engineer, according to security experts with knowledge of the job market. "I no longer need a firewall engineer: I need a cloud security engineer," says Lamar Bailey, senior director of security research & development at Tripwire.
Some 80% of the nearly 340 IT security pros surveyed by Tripwire say it's getting harder to find skilled people to fill their open job positions. Plus, the necessary skillsets are changing, as security evolves to tackle the blend of enterprise, cloud, virtual, DevOps, and other technologies. Some 85% of them say their security teams are understaffed; 70% of the organizations in ISACA's survey said the same.
Keeping positions filled also is getting harder. Skilled cybersecurity pros unsurprisingly are often lured away from their jobs for higher pay or promotions, so it's difficult to keep a solid security team in place for long. "There's a cannibalization of talent. Once it's [talent] acquired, there are concerns around retention as other companies start reaching out and luring over" those staffers, ISACA's Downs says.
Organizations also are training up members of their existing staff to meet the new demands. "And whether [they're] training [an existing employee] or hiring somebody else, and outsourcing the firewall job to a third party ... they don't have enough people to run everything, and we're seeing core products getting ignored—such as vulnerability assessments," Bailey says.
Some organizations running vulnerability scans, for example, are not necessarily following through and applying the fixes and patches those tests find. "They're spreading themselves too thinly" and struggle to prioritize patches, he says.
That's where technical staffers come in, he says, to help analyze the actual risks to their networks in order to prioritize the fixes for specific flaws and machines.
But training up existing security staffers isn't always so simple, especially for more advanced technical roles. "If you're looking at a mid-level security pro who wants to get into higher-level [technical role], it's an investment of a couple of years. It's not like a five-day SANS class," Bailey explains. "Firewall-1 to cloud architect is going to be a lot of training," for instance, he says. And for some organizations, it's difficult to justify this type of training budget-wise, he adds.
While cybersecurity programs are growing on the higher education side, many fail when it comes to providing potential cyber professionals with the necessary—and most in-demand—technical skills. The problem is a lot of academic organizations don't necessarily teach all aspects of security that make an individual technically proficient," Downs says. "Academic organizations are still playing catch-up."
Still missing from some programs are hands-on malware analysis, for firewall configuration, for example, he says.
Ralph Sita, co-founder and CEO of online training firm Cybrary, says cybersecurity education and training doesn't necessarily need to follow the traditional academic trajectory. "You don't need to treat getting into this industry through an educational avenue like high school, college, and boom: you get a job," says Sita. "You have to treat it like a trade: like an auto mechanic, HVAC technician, or a plumber" with hands-on skills training, he says. "You have to touch and use [security] tools."
In some cases, the next security technician at an organization could be an employee on the non-technical side of the house. Tripwire's Bailey says some existing positions more naturally can transition to cybersecurity jobs—accountants and legal experts, for example. "Some of my best [quality assurance] engineers are accountants because they are detail-oriented and good with numbers," Bailey says.
ISACA's Downs, also an adjunct cybersecurity professor at the University of Maryland-Baltimore (UMBC), says the average demographic of a cybersecurity job candidate is someone changing professions. One of the students in his cybersecurity Master's program last year was a former middle school teacher. "A lot of students have very transferrable [skills]. If they have tenacity, that will transition really well," he says, noting that the teacher in his class was his "star student" even among veteran IT pros looking to move to cybersecurity careers.
And while the hardest shoes to fill are technical ones in cybersecurity, the greatest missing skill for existing cybersecurity staffers is business acumen (nearly 50%), according to ISACA's report. Some 34% of organizations say technical know-how is the biggest missing skill among their security teams.
"They want more technical people, and they're now getting more choosy and want technical people who understand the business and can communicate that to the stakeholders," Downs says. "They want a purple unicorn."
The good news, though, is there's a subtle yet slow shift under way in loosening some of the overly ambitious job requirements for entry-level cybersecurity positions, according to Cybrary's Sita. "It's out of necessity" to fill the jobs since there's the Catch-22 of a security newbie not having all of the experience and certifications many of the entry-level jobs call for.
"I can't ask for an entry-level network engineer with five years' experience" anymore, he says.
Meanwhile, large tech and security firms such as IBM and Palo Alto Networks are offering their security teams training on Cybrary's platform as a way to grow and retain their security staff as well as to help advance candidate prospects with the requisite training for employment.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.