Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:55 PM
Connect Directly

Fewer Than One-Fourth Of Cybersecurity Job Candidates Are Qualified

ISACA report finds that 55% of security jobs take three- to six months to fill, and under 25% of candidates are qualified for the jobs they apply for.

Sobering news on the cybersecurity hiring front: More than 20% of organizations get fewer than five applicants for an open security job and more than half of all positions (55%) take at least three months to fill with a qualified candidate.

Of those who do apply, fewer than 25% are actually qualified for the posted job, according to a new ISACA report released at last week's RSA Conference in San Francisco.

It won't surprise anyone in IT management to learn that it's extremely challenging to fill open jobs in information security. But the ISACA's report on the state of security hiring quantifies those challenges more starkly.

The source of the problem doesn't appear to be money, says Eddie Schwartz, an ISACA director and also EVP of cyber services at security vendor DarkMatter. "We continue to see a lack of qualified candidates, even though companies are offering extremely competitive salaries, higher than other IT jobs," Schwartz says.

The report, generated from an email survey to ISACA members around the world, also honed in on an infosec applicant's most important qualifications, which are apparently less about their training and more about the hands-on, practical experience they bring to the table.

"What we're going to see is a continued departure from a bunch of letters after people's names and verifying that they have the skills needed," Schwartz says, referring to acronyms like CISSP, and others. So rather than just writing code and answering rudimentary security questions, infosec candidates can expect to be in dropped into live-fire scenarios that reflect their levels of experience.

"If you're an apprentice, they'd be more rudimentary, but if you're an expert you're going to be asked to work in more advanced scenarios," Schwartz says.

In the last 20 years, many employers have taken the approach of bringing on a cybersecurity professional as a generalist, then encouraging him or her to add certifications and climb the ladder as their experience and knowledge grew, Schwartz says. Others tried to draw security talent from their organization's pool of software coders. But employers typically haven't done enough "shepherding" of security talent, cultivating skills internally, and training people to replace their bosses, he adds.

More recently, the industry started in the direction of creating apprentices, journeymen, and masters of infosec. He points to ISACA's own CSX certification program as an example of that hierarchical progression.

But clearly, the security talent-nurturing equation needs a refresh.

ISACA and employers have work to do with educators and their computer engineering and IT management programs, Schwartz adds. And employers need to start embracing how Millennial and Gen Y professionals work and learn.

"They prefer just-in-time training and ratings like the ones in gaming systems," Schwartz says. "They're all about how they can continually gain knowledge and how they rank relative to their peers."

ISACA is starting to see corporations incentivize Millennials to take part in team-based training, for example, with one goal to improve their ratings, he adds.

Other key findings from ISACA's state of cyber security report:

  • 32% of respondents say it takes six months or more to fill their security positions.
  • Only 13% report receiving 20 or more applications for a security job.
  • 13% of respondents cite referrals or personal endorsements as the most important attribute for candidates; 12%, certifications, followed by formal education (10%), and specific training (9%).

Related Content:


Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
2/25/2017 | 4:43:03 PM
Not surprising
I am not supervise at all. It is really hard to find any candidate for any IT positions these days in US. IT resources are very expensive trait include security skills too.
User Rank: Apprentice
2/24/2017 | 5:38:30 PM
Re: They may not exist so you need to teach them right
The problem I see is companies requiring credentials and passing over anyone who dosen't have them. Passing a test and understanding the problem and how to fix it are 2 different things.

I had a DoD 5220.22-M operating manual dropped on my desk from a large aerospace/defense customer saying we need to comply, after reading through a 174 pages of acronyms I called their COMSEC manager and asked "What do you really need?" She replied "encrypted Email". I had it setup the next day. Yet even after a year nobody we communicate with at that company is setup for encrypted email and hers comes with an invalid certificate warning. I asked what the hold up was with their encryption and was told she had to get authorization from a vice president.... I just about bust a gut laughing. I've kept repeated reminders to them in my CYA file. I could cite numerous other examples of the beauracracy of big business from this company in Dulles, VA alone.

I'd bet money the only criteria was that she had a degree in security.
User Rank: Apprentice
2/24/2017 | 3:45:53 PM
Look for Core skills
After being a hiring manager in IT Security for many years, I have to say the statistics are pretty accurate from a perspective of the people I see. 

One thing that people need to remember, The business needs an outcome, this means delivery and many of the seucrity professionals out there lack this "delivery" mentality and focus more on the research and detailed analysis functions. 

My interview process is fairly simple.

1st interview - Theory and Cultural Fit (1 Hour)- Theory is focused on what they know as a base. Pick a technology/system that they are familiar with and go through their thought processes.

2nd Interview - Detailed Theory + Ability to Learn (1-1.5 hours)- Focused on detailed questions (including scripting and commands) on a high skill system. (We ask them to nominate a technology beforehand and give them 5 days of research beforehand). 

3rd Interview - Practical Lab + Anaylsis assessment (1-2 Hours)- We ask them to nominate a different technoloigy and build it in the lab. My team then break these instances in a fairly common way that a standard person will know in 2 seconds and resolve in 5 minutes. We can see their analysis functions of the situation, see the steps they go through to analyse and also resolve. 

4th Interview - Management Discussion

I have interviewed hundreds of people from different backgrounds, cultures and capabilitites and less than 15% qualify. Not from a certification perspective (they have all these), but from a core fundamental of missing on key delivery aspects (pick 1 from above). It amuses me that we get them to nominate the technologies that they are comfortable with (build this specific to their requirements and strengths) yet when it comes to practical use and assessment, they fail on something they say they are good at.

If they have the core skills of Analysis, ability and willingness to learn, a delivery approach and are happy to delve into the details, then they can get a job with me.... The certifications arent required, once you go through our day to day operations, these just happen naturally.

My team is amazing. I give them standard and non-standard scenario's on different topics and areas eadh day/week, to which I get 4-5 different responses from the team. They then work out what is best between them and compare their theories and aspects with each other. 


They learn from each other and if new technologies that we want to adopt come up, I'll throw them through the certification path, although I will allocate them lab space to build, break, fix and adjust to make sure they can assess the feasability, as well as learn and train on the technology thorugh practical experience. 

User Rank: Strategist
2/24/2017 | 2:51:53 AM
Re: They may not exist so you need to teach them right
My usual response to hiring managers is - "do you really think the guy who invented 'x' is certified in it?" :D
User Rank: Apprentice
2/23/2017 | 8:46:17 AM
Maybe rethinking what qualified means would level the playing field. Security is a tough field to get into without experience. Security is not rocket science and I would offer that people with a technical and business background would make great candidates within the security field. Security is not what is taught in books or at conferences where the focus is on a perfect world, leading people to believe that what is in the books or discussed at conferences is the real world, obviously, it is not. Last I checked, companies were in business to make money and security is part of that process, whether you want to call it a cost avoidance exercise or whatever. Security is an enhancement to and provides protection for the business while allowing the company to function and profit. I can argue that technical skills and business knowledge are critical in a security role and that security skills can be developed based upon that knowledge. The knowledge of what the business does and what is critical to the business is paramount to securing it.
User Rank: Apprentice
2/22/2017 | 10:22:34 PM
We need to improve the educational pipeline and provide freelance opportunities
I believe that the solution to the cyber skills gap is twofold. The first is to improve the educational pipeline. In this area, leaders in the cybersecurity education market such as SANS.org play a key role with online courses and certifications. The second is to offer cybersecurity experts additional opportunities to freelance or moonlight with companies, thereby sharing the skills of a qualified person amongst multiple non-competing companies. For example, companies will benefit from sharing a virtual CISO by getting expert advice at a lower cost than full-time, and the virtual CISO will benefit by exercising his/her expertise in different domains. A dedicated security freelancer marketplace such as SECUR1TY.com can help enable such arrangements. 
User Rank: Apprentice
2/22/2017 | 8:18:23 PM
True but..
Isn't that the same with all job candidates? Regardless of the industry it is hard to find good people.  They are out there but it is hard to find a good match.  It is definitely more difficult in the security industry and why Managed Security Services is so helpful.  I do see hope with the new hiring post college generation.  They are excited, ready, inexperienced, no special certifications but honest and hard workers that come to their jobs on time, respect everyone in the office and are ready to learn, work hard and engineer solutions.  It is kind of exciting.  True article and thanks for posting.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
2/22/2017 | 6:24:37 PM
Bah. Loaded descriptor.
Define "qualified".

Are we talking "able to do the job," or are we talking "meets 100% of all the supposed qualifiers that HR thinks the job requires"?

Because those are two VERY different things, especially when it comes to the purple-squirrel hiring tactics that have plagued both the IT sector and business as a whole for many years.
User Rank: Apprentice
2/22/2017 | 6:17:28 PM
They may not exist so you need to teach them right
While there is a lot of discussion about whether or not certifications are viable in this field it is my impression that most enterprises still look for those letters following the name. The survey presented states that 70 percent of companies require certifications for a position. While that is not 100%, I don't know how drastic a departure from certifications this really indicates.

I think one of the biggest issues is that the number of people who have the right experience might not even exist in the world. Perhaps one of the primary reasons only 25% are qualified is because only 25% of the whole population have the actual experience. How many Cyber Security Specialists have 10+ years of hands on Cloud Security for example? So much of the technology is newer than the experience of the people yet companies are looking for people with these extreme skills. This sets them up to fail at finding the exact match.

 Additionally, not every company is installing the latest gear or using the latest and greatest. Therefore, as an example, while someone may know Networks, they may not be up to speed on the newest Cisco device or something. Yet, the hiring company wants them to know it. Heck, the hiring company may be one of the only companies do date that has purchased the equipment. Yet, they require experience on it. That seems like a rather tall order.

What needs to take place is practical, real scenario based education that shows the learner the actual situation. People who do get to work on this equipment and in these rare, yet highly sought after scenarios, should be teaching others the voodoo they do. This way, while the learner may not have been the one to install the equipment or resolve the situation, they know, through experienced learning, what they can do to rectify things or set things up etc. A book with a few pictures is a good start but give me a video or something showing me from start to finish how to write and execute that command line and we'll all be better off.

Companies should be investing in the education of the Security pros too (actually all their people but that's for later). Chief Learning Officers and the leadership need to invest in the people to give them the tools to succeed in the environment. There are companies out there who provide valid education at a fraction of previous costs. 

Another thing I believe worth mention is the application process itself. Security professionals are neck deep in the swamp. They don't have time to poke their head up to see what other jobs are out there let alone spend a long time filling out forms on-line. So, companies should not expect an ad on the web to draw the crowds and they should make the experience of being reviewed by the hiring manager less complicated. Hence, the article's comment about referrals being a top method for recruitment.
<<   <   Page 2 / 2
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Network congestion ahead."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users.
PUBLISHED: 2021-05-17
An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. A non-privileged process can open a handle to \.\ZemanaAntiMalware, register with the driver using IOCTL 0x8000201...
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook wit...
PUBLISHED: 2021-05-17
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.