The huge challenge many organizations face in finding and hiring cybersecurity professionals may have as much to do with corporate mismanagement as it does with overall skills availability and market demand, a new survey-based study has found.
For the study, the Information Systems Security Association (ISSA) and analyst firm Enterprise Strategy Group (ESG) polled 489 IT and security professionals from the US and other regions on a wide range of issues pertaining to their jobs. It is the fifth time in as many years that the two organizations have conducted the survey.
Fifty-seven percent of this year's respondents reported their organizations have been impacted by the skills shortage crisis, compared with 70% last year and 73% in 2019. Despite the seemingly encouraging trend, 95% of respondents perceived the skills shortage and associated impact as improving over the past several years, while 44% felt the situation has only become worse.
The survey shows more than three-quarters (76%) of organizations find it extremely or somewhat difficult to find and hire cybersecurity professionals. A widening gap between cybersecurity skills supply and demand is one reason for the problem. Another reason is organizations are making basic mistakes when it comes to filling available cybersecurity roles.
Thirty-eight percent of respondents, for instance, said their organizations didn't offer competitive compensation for prospective cybersecurity hires. Nearly three in 10 (29%) described their HR departments as not understanding cybersecurity skills, and 25% felt that unrealistic job requirements and skills requirements were keeping otherwise good candidates away. Some 60% felt their organizations could do more to help alleviate the situation.
"The main takeaway from the report is the fact that, once again, nothing has changed," says Candy Alexander, CISO and president of ISSA International. The survey's results show that businesses are not investing in higher compensation or in providing training opportunities for existing staff, she says.
"Compensation could be viewed as an investment into hiring appropriately skilled cyber professionals," but many organizations are not doing so, she notes. The reason could be that they don't understand the role of cyber or fully see the value the function provides to the business' bottom line.
Nick Tausek, security research engineer at Swimlane, says cybersecurity pros in entry-level analyst positions or in infrastructure and software support especially tend not to get compensated fairly. Other compensation-related factors that can cause friction include large wage gaps between experienced and new staff and opaque and widely varying salary scales for the same position, with little transparency into who gets paid what within that scale, Tausek says.
"I've worked places where a brand new, inexperienced analyst was making $15K more than an analyst who had been on the job for four years, simply because of negotiation skills," he says. "I've worked elsewhere where analysts at a satellite office were paid one-third of what the main office analysts were paid for the same exact job. This kind of unfairness is extremely demoralizing."
The HR department's inadequate understanding of cybersecurity skills and job postings with unrealistic requirements — such as asking for skills not really required for the job or commensurate with compensation — are two other factors making it hard for organizations to recruit staff.
Alexander says that growing automation of the HR function has also led to a situation where many people with great skills get overlooked in the job applicant pool because their resumes don't have certain keywords for a system to catch them.
In addition, organizations with strict hiring practices often can scale jobs and salaries based on some type of tiering taxonomy, says Jon Oltsik, an analyst with ESG.
"These taxonomies are rigid and may not change fast enough to keep up with a hot job area like cybersecurity," Oltsik says. Cybersecurity leaders likely share some of the blame here, however, as they may be looking too much at technical aspects of cybersecurity roles and not communicating requirements well to HR or recruiters, he says.
A lack of clear career progression is another issue. Not every organization has opportunities for functions like pen testing or advanced security analytics, which means employees can get stuck in the same position for longer than they want, Tausek says. Cross-training the existing team by having analysts learn about SIEM administration or networking, for instance, can provide an outlet for those who want to expand their skill sets, he notes.
The ISSA/ESG study shows 99% of respondents agreeing that training is essential to keeping up with the skills needed to deal with cyber adversaries. Yet 82% of those who try to keep up with cybersecurity skills development find job requirements getting in the way. Thirty-nine percent said an increase in cybersecurity training investments at their organizations would help address the skills shortage issue.
Organizations need to budget the training costs and find a way to schedule the time for their security staff to receive training, Alexander says.
"Stick to the plan and don’t change it," she says. "If this is impossible, have senior members mentor junior members for on-the-job training. We have overcomplicated the issue and the solutions," she says.
The deepening skills shortage is making life harder for existing cybersecurity teams at many organizations. Sixty-two percent of respondents described the skills shortage as increasing the workload for current members of the cybersecurity team, and 38% said it was contributing to high burnout rates among staff. Ninety-five percent perceived the skills crisis as remaining unchanged over the past few years, while 44% described the situation as becoming more dire.
Security leaders and HR departments that are serious about attracting and retaining talent need to recognize the enormous depth of expertise that analysts and other cybersecurity pros bring to the table and compensate them appropriately, Tausek says.
"Narrow the wage gaps and the salary bands for single positions and make benefits and pay transparent," he notes. "Make employees feel valued. They have a hard job and contribute enormously by identifying breaches and preventing more significant breaches from occurring."