Desperately Seeking Security: 6 Skills Most In Demand
When people say there's a security skills gap, this is what they really mean.
July 8, 2017
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt22abd220cb8235e1/64f0d7be07b8492db9d867e0/01-gap.jpeg?width=700&auto=webp&quality=80&disable=upscale)
The last several years have seen a slew of reports coming out lamenting the typical enterprise's ability to recruit and retain quality cybersecurity talent.
Earlier this year, ISACA's Cybersecurity Nexus survey found that more than one in four organizations take six months or longer to fill priority cybersecurity positions. Respondents to the survey said that 40% of organizations report receiving fewer than five applications for cybersecurity positions. And if things keep going the way they're already headed, the problem is only going to get worse. According to the 2017 (ISC)2 Global Information Security Workforce Study conducted by Frost & Sullivan, by 2022 there will be a global shortfall of cybersecurity workers of 1.8 million people.
At the same time, the pain is not necessarily a singular problem; a lot of the issue comes down to the fact that there aren't enough candidates with the right combination of specialized skills to fight the security problem at any given moment. It's a moving target that changes day-by-day.
"There’s definitely a talent shortage of quality information security professionals who are capable of solving emerging problems," says Lee Kushner, president of cybersecurity recruiting firm LJ Kushner & Associates. "It’s not a shortage of general skill or average skill, it’s a shortage of skills that can help companies solve their problems."
As the industry starts to look at the problem, it'd best start putting a finer point on the types of skills most in demand rather than fixating on one overarching security deficiency.
"The problem is more granular than 'look at all the open jobs,'" says Mike Viscuso, CTO and co-founder of Carbon Black.
According to the most recent research, the following specialties and skills are the ones that hiring managers are having the hardest time plugging into their teams.
As organizations drown in alerts and try to figure out a way to prioritize incidents for investigation, automation will play a huge role in stopping the insanity. But that won't ever replace the importance of smart people to direct the automation, and follow up with human intuition and foresight to move investigations forward and mitigate the root problems. According to a recent study by ESG on behalf of ISSA, the roles that enterprises have the most difficulty filling are those involving incident investigation and analysis. That figure is validated by CompTIA, which also found that skilled security analysts are the hardest-to-find security specialists in today's market.
With organizations increasingly moving their development activities, data and even application workloads to the cloud, they need security practitioners who know how to secure complex hybrid environments. According to one survey by Intel, 93% of organizations at this point use cloud services in one form or another and 62% store sensitive information in the cloud. Yet, just under half say that their effective use of the cloud is stymied by a lack of cybersecurity skills in this arena.
Dark Reading's 2017 Security Staffing Survey shows that most people in charge of hiring security talent believe there is at least some kind of skills shortage on the market. Some of the biggest shortages are not necessarily specific to roles or technical competencies but instead a familiarity with the kind of business they are trying to protect. According to the survey, nearly three times as many hiring managers look for people with experience in defending organizations similar to their own than they seek a formal education in cybersecurity.
This de-emphasis on formal education seems to be a common theme picked up in cybersecurity workforce surveys. A recent survey conducted by ISACA reconfirmed it, as survey respondents reported that their biggest concern is finding people who not only know a lot about security but who have put that knowledge to the test in the real world. That hands-on acquisition of skills easily beat out formal education, special training, and certification by a significant margin.
As DevSecOps drives organizations to be more collaborative, security personnel at all levels must increasingly learn to play nicely with others in IT and beyond. Dark Reading's 2017 Security Staffing Survey found that over half of IT pros believe the most in-demand skill in filling security roles are technical people with soft skills, like communication.
By rights, security professionals should be working as internal consultants to help organizations minimize risk as much as possible while still carrying out the kind of digital transformations that will enable them to stay competitive in the app economy. A recent CompTIA report found that the number one biggest overall IT skills gap category that is impacting digital transformations is the one having to do with aligning technology with business objectives. If security professionals are going to act in that consultative role, they need to understand both general business principles and the specific business concerns unique to their organization.
By rights, security professionals should be working as internal consultants to help organizations minimize risk as much as possible while still carrying out the kind of digital transformations that will enable them to stay competitive in the app economy. A recent CompTIA report found that the number one biggest overall IT skills gap category that is impacting digital transformations is the one having to do with aligning technology with business objectives. If security professionals are going to act in that consultative role, they need to understand both general business principles and the specific business concerns unique to their organization.
The last several years have seen a slew of reports coming out lamenting the typical enterprise's ability to recruit and retain quality cybersecurity talent.
Earlier this year, ISACA's Cybersecurity Nexus survey found that more than one in four organizations take six months or longer to fill priority cybersecurity positions. Respondents to the survey said that 40% of organizations report receiving fewer than five applications for cybersecurity positions. And if things keep going the way they're already headed, the problem is only going to get worse. According to the 2017 (ISC)2 Global Information Security Workforce Study conducted by Frost & Sullivan, by 2022 there will be a global shortfall of cybersecurity workers of 1.8 million people.
At the same time, the pain is not necessarily a singular problem; a lot of the issue comes down to the fact that there aren't enough candidates with the right combination of specialized skills to fight the security problem at any given moment. It's a moving target that changes day-by-day.
"There’s definitely a talent shortage of quality information security professionals who are capable of solving emerging problems," says Lee Kushner, president of cybersecurity recruiting firm LJ Kushner & Associates. "It’s not a shortage of general skill or average skill, it’s a shortage of skills that can help companies solve their problems."
As the industry starts to look at the problem, it'd best start putting a finer point on the types of skills most in demand rather than fixating on one overarching security deficiency.
"The problem is more granular than 'look at all the open jobs,'" says Mike Viscuso, CTO and co-founder of Carbon Black.
According to the most recent research, the following specialties and skills are the ones that hiring managers are having the hardest time plugging into their teams.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024