Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly

Security Pros Say On-The-Job Experience Counts The Most

Surviving the cybersecurity skills crisis requires investing more in the resources you have, experts say.

A new survey by Trustwave found that the vast majority of organizations are having difficulty finding - and keeping – security professionals.

The report, "Money, Minds and the Masses: A Study of Cybersecurity Resource Limitations," was conducted by Osterman Research from August to September 2016. Osterman surveyed 147 IT security decision-makers, primarily at mid-sized and large organizations in North America.

Among the key findings of the report:

Good IT security staffers are hard to find. Finding and recruiting talented IT security staff members with the right skills is a "significant" or "major" challenge for 57% of those surveyed. And more than one-third of respondents cite retaining highly-skilled security people as a difficult problem.

IT security teams lack the necessary talent to meet today’s threats. More than six out of 10 respondents say that half or fewer of their security staff have the specialized skills and training to address the more complex security issues. And only one in nine believe that it’s "highly likely" they will have IT security staff who can take on APTs and zero-day attacks in the future.

Experience wins out over education. 83% of those surveyed say experience in the field rates more highly than education or certifications. Certifications ranked at 25%, while degrees came in at 23% and success in capture-the-flag competitions was slightly lower, at 18%.

"Keep in mind that the vast majority of security professionals don’t have degrees," says Chris Schueler, senior vice president of managed security services at Trustwave. "While college degrees aren’t always a requirement, they do help because a candidate has to be able to articulate and write, but the degree is not a hard and fast requirement."

ISACA Board Director Eddie Schwartz says he’s seeing many of these same findings in ISACA research as well.

"Skilled security staff are hard to find and harder to retain," Schwartz says. "As we begin the new year, it’s time for organizations to make sure they have a plan in place for sourcing and keeping high-quality talent. They need to develop incoming and existing staff through practical, experience-based training, ensure budgets enable them to offer competitive salaries and retention incentives and find creative ways to source talent."

Schwartz adds that organizations may consider investing in training existing staff to shift to cybersecurity roles, look at candidates with deeper technical skills like white hat hackers, and partner with local community colleges and universities to find potential candidates.  

Of course, when companies do find people with higher-level security skills, they are hard to keep. When asked if turnover is higher in IT security than in other part of the company, 36% of respondents in the Osterman report answered "yes."

Still, Trustwave’s Schueler says companies need to develop their security staffs, especially since the survey points out that 40% of respondents believe that their skillsets around emerging and evolving threats are the least adequate.

"Most IT staffs tend to be good at the basics of change management and maintaining devices, but they are lacking in higher-level skills," Schueler says. "There are many new jobs such as pen testers and threat researchers and it’s important to give your people exposure and see if they have the acumen for these positions."

Budgeting was also a thorny issue for security mangers. According to the Osterman/Trustwave report, only about 25% of respondents have "complete" control over their annual IT security budgets. In addition, seven out of 10 respondents at least "sometimes" or "more frequently" have disagreements with their senior management over budgeting and staffing issues. This may be why fewer than 30% of respondents feel "fully supported" by the senior management of their company.

A Global Problem

An interesting note: In a recent report from Indeed called The Global Cybersecurity Skills Gap, the US actually fares well when in comes to job-seeker interest in security positions.

To provide some context, in Israel, for example, job-seeker interest in cybersecurity roles meets 28.4% of employer demand. The UK suffers from the second worst skills shortage: In the UK job seeker interest doesn’t quite hit one-third of employer demand. Brazil, Germany, and Italy round out the top five for severity of the skills gap. In each of these countries, interest from job seekers barely exceeds a third of employer demand.

Indeed reports that only in two countries does job-seeker interest exceed more than 50% of employer demand. Although it may seem like a consolation prize for organizations in the US and Canada, the fact that job seeker interest meets 66.7% and 68.1% of employer demand respectively bodes well when compared with most other countries.

“Although globally employer demand for cybersecurity professionals outmatches job seeker interest, the Unites States and Canada are in the fortunate position of having the smallest gap,” says Daniel Culbertson, economist at Indeed.

Culbertson adds that recent data portray the two markets trending in opposite directions. In the US, the mismatch between employer demand and job seeker interest has actually improved over the past two years, while the mismatch in Canada widened over the same time period.

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
PUBLISHED: 2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.