A new survey by Trustwave found that the vast majority of organizations are having difficulty finding - and keeping – security professionals.
The report, "Money, Minds and the Masses: A Study of Cybersecurity Resource Limitations," was conducted by Osterman Research from August to September 2016. Osterman surveyed 147 IT security decision-makers, primarily at mid-sized and large organizations in North America.
Among the key findings of the report:
Good IT security staffers are hard to find. Finding and recruiting talented IT security staff members with the right skills is a "significant" or "major" challenge for 57% of those surveyed. And more than one-third of respondents cite retaining highly-skilled security people as a difficult problem.
IT security teams lack the necessary talent to meet today’s threats. More than six out of 10 respondents say that half or fewer of their security staff have the specialized skills and training to address the more complex security issues. And only one in nine believe that it’s "highly likely" they will have IT security staff who can take on APTs and zero-day attacks in the future.
Experience wins out over education. 83% of those surveyed say experience in the field rates more highly than education or certifications. Certifications ranked at 25%, while degrees came in at 23% and success in capture-the-flag competitions was slightly lower, at 18%.
"Keep in mind that the vast majority of security professionals don’t have degrees," says Chris Schueler, senior vice president of managed security services at Trustwave. "While college degrees aren’t always a requirement, they do help because a candidate has to be able to articulate and write, but the degree is not a hard and fast requirement."
ISACA Board Director Eddie Schwartz says he’s seeing many of these same findings in ISACA research as well.
"Skilled security staff are hard to find and harder to retain," Schwartz says. "As we begin the new year, it’s time for organizations to make sure they have a plan in place for sourcing and keeping high-quality talent. They need to develop incoming and existing staff through practical, experience-based training, ensure budgets enable them to offer competitive salaries and retention incentives and find creative ways to source talent."
Schwartz adds that organizations may consider investing in training existing staff to shift to cybersecurity roles, look at candidates with deeper technical skills like white hat hackers, and partner with local community colleges and universities to find potential candidates.
Of course, when companies do find people with higher-level security skills, they are hard to keep. When asked if turnover is higher in IT security than in other part of the company, 36% of respondents in the Osterman report answered "yes."
Still, Trustwave’s Schueler says companies need to develop their security staffs, especially since the survey points out that 40% of respondents believe that their skillsets around emerging and evolving threats are the least adequate.
"Most IT staffs tend to be good at the basics of change management and maintaining devices, but they are lacking in higher-level skills," Schueler says. "There are many new jobs such as pen testers and threat researchers and it’s important to give your people exposure and see if they have the acumen for these positions."
Budgeting was also a thorny issue for security mangers. According to the Osterman/Trustwave report, only about 25% of respondents have "complete" control over their annual IT security budgets. In addition, seven out of 10 respondents at least "sometimes" or "more frequently" have disagreements with their senior management over budgeting and staffing issues. This may be why fewer than 30% of respondents feel "fully supported" by the senior management of their company.
A Global Problem
An interesting note: In a recent report from Indeed called The Global Cybersecurity Skills Gap, the US actually fares well when in comes to job-seeker interest in security positions.
To provide some context, in Israel, for example, job-seeker interest in cybersecurity roles meets 28.4% of employer demand. The UK suffers from the second worst skills shortage: In the UK job seeker interest doesn’t quite hit one-third of employer demand. Brazil, Germany, and Italy round out the top five for severity of the skills gap. In each of these countries, interest from job seekers barely exceeds a third of employer demand.
Indeed reports that only in two countries does job-seeker interest exceed more than 50% of employer demand. Although it may seem like a consolation prize for organizations in the US and Canada, the fact that job seeker interest meets 66.7% and 68.1% of employer demand respectively bodes well when compared with most other countries.
“Although globally employer demand for cybersecurity professionals outmatches job seeker interest, the Unites States and Canada are in the fortunate position of having the smallest gap,” says Daniel Culbertson, economist at Indeed.
Culbertson adds that recent data portray the two markets trending in opposite directions. In the US, the mismatch between employer demand and job seeker interest has actually improved over the past two years, while the mismatch in Canada widened over the same time period.