Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Why InfoSec Hiring Managers Miss the Oasis in the Desert

Despite a sharp shortage of IT security professionals, a pool of potential talent is swimming below the surface.

InfoSec hiring managers may feel they're looking across a vast desert when it's time to fill an IT security position, but the situation may not be as dire as some expect, according to a survey released today by ISC(2).

"Hiring managers want fully trained and experienced cybersecurity people doing the job. But with the shortage, what organizations and academia need to do is look at their own bench," says Wesley Simpson, chief operating officer for ISC(2).

A company's IT staff is one of the greatest resources for finding new security workers, because they are already familiar with the company, its processes, and know its technology, Simpson says.

But in ISC(2)'s 2017 Global Information Security Workforce Study, which includes a survey of 3,300 IT professionals, 43% of survey respondents say their companies failed to provide them with adequate security training and professional development.

Untapped Potential

Although 63% of survey respondents say their organizations face a cybersecurity shortage, only 34% of participants say their companies will cover the cost of security training. Another 30% of respondents split the education and training costs with their employer, while 34% of surveyed IT professionals are left to pay the entire cost by themselves.

The average certification class costs $2,000 at ISC(2), Simpson says. However, he notes some organizations charge as much as $10,000 for a certification class.

IT professionals are also underutilized when it comes to soliciting their opinion on security matters. Roughly a third of respondents had their security suggestions put into action, while 28% say their advice was solicited but not followed.

Companies will look to CISOs for answers because they are the ones who are accountable for security, explains Simpson. But, he adds, it is the frontline IT workers who are tasked with executing the CISO's security strategy, yet are not given the credibility that they deserve.

"Companies will sometimes look to consultants to help with vulnerability assessments, but sometimes it's these employees who know because they see it day in and day out," observes Simpson.

Crafting Solutions

Over the next 12 months, 50% of survey respondents say their organizations will likely spend the same amount on security training as in past years. However, 33% of survey respondents say they anticipate an increase in security training, according to ISC(2)'s report.

"Things can't remain status quo," Simpson says. "Status quo is actually falling behind because new vulnerabilities are being created every day by the bad guys, and our security posture has to advance to keep pace."

A recent survey by Dimensional Research found companies are filling the cybersecurity skills gap with non-security professionals.

In a survey of 315 IT security professionals, 20% of survey participants say their organizations have hired non-security experts over the past two years to fill the cybersecurity skills gap. Seventeen percent of survey respondents, meanwhile, plan to continue this practice of hiring non-cybersecurity experts over the next two years, according to the survey, which was sponsored by Tripwire.

Fifty percent of Dimensional's survey respondents say their companies plan to increase security training with existing staff as a means to offset the security skills shortage.

Steps to Transform IT Workers to InfoSec Workers

The first step in selecting potential employees for the transition to IT security is to consider their interests, says Kimberly Mahan, CEO of Maxx Potential, an IT training and outsourcing company.

"We look at (apprentice trainees) and how much they are into security. Do they go home and research it? Do they want to learn more about it? Do they enjoy problem-solving enough to push through the concepts?" Mahan says.

Once it's clear an IT worker has an interest in security, Mahan's firm runs them through hardware and software exercises, as well as a mini capture-the-flag exercise.

"They can say they want to be a security professional, but it's not good unless they understand things like software development," says Mahan.

After getting a base read on an IT worker's skill set, Mahan teams the apprentice with a technical advisor to work on security projects together to develop "real-world" experience.

"Some apprentices take three or four years to make the transition to security and others take a year," she says. "This is more of an immersion approach and it adds value as quickly as possible."

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...