Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/5/2016
04:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Half Of Cybersecurity Pros Solicited Weekly About A New Job

'Sellers' market' for IT security professionals, but more than two-thirds lack a clear career path in the field.

One or more times per week, nearly half of cybersecurity professionals receive an email or a call from a recruiter or other party about a job opening, and a quarter of chief information security officers get five or more such solicitations per week.

It's a "seller's market" for security professionals given the much-maligned and well-known skills gap in the security industry that according to some estimates has left around 1 million job openings worldwide. A new research report by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) found not only that security pros are getting bombarded by recruiters, but only 41% are "very satisfied" with their current jobs, 44% "somewhat satisfied," and 15% not satisfied.

The global survey of 437 security professionals also revealed that security pros have serious concerns about their careers and most aren't getting sufficient training to keep pace with emerging skills and threats. Some 56% say their organization doesn’t offer them the proper training for their jobs -- and 65% say they don't have a solid career plan or path, according to "The State of Cyber Security Professional Careers: Part 1" report.

That's a recipe for disaster for enterprises, which already are struggling to fill job vacancies.

"The positive thing is that it's a seller's market. If I want to go elsewhere or make more money or go to another industry, I can do that," Jon Oltsik, senior principal analyst with ESG, in a press briefing today on the report. The downside for organizations, of course, is loss of skilled staff, attrition, and a higher security risk, he said.

"People are job-shopping all the time or being asked to all the time. This is a root issue we're not talking about," he said. "People are being poached left and right. If an organization suffers massive attrition, there's no consistency in policies, controls, or your general risk profile."

Oltsik says the training gap for existing security pros is a big red flag. One-fourth say their organization should be offering "significantly more" training for them. "We're understaffed, severely under skilled, and not investing resources for keeping people up to speed. That's an existential risk to all of us," Oltsik said.

Candy Alexander, CISO of ISSA and chair of its cyber security career lifecycle program, says training is one of the first things that gets cut from the budget. "It always comes down to budget, and training is the first to be cut, or cutting back on resources," she said. "We're always firefighting, in reactive mode and there's no opportunity to be proactive" with training or other measures, she said.

When it comes to the oft-debated topic of cybersecurity certifications, the report shows that one cert matters the most: the CISSP (Certified Information Systems Security Professional). Some 56% of security pros hold a CISSP, and most say it was "valuable" both for getting hired (61%) and for on-the-job know-how (55%).

The next-closest cert held by security pros is the CompTIA Security+ (19%), CISM (Certified Information Security Manager), with 17%; and CISA (Certified Information Security Auditor), with 16%. CISM and CISA came closest to the CISSP in value for hiring and knowledge for the job, but each by only around 10% of respondents.

"No cert achieved a rating over 10%" besides the CISSP, Oltsik said. "That to me is extremely telling for a couple of reasons: it says certs are window-dressing, but having a lot of certs on your resume may give you personal gratification, but it's not training you to be a better cybersecurity pro. It also means to me that [you] go and get certified for a specific baseline of knowledge. But that's not how you become a great cybersecurity professional … certifications have a specific role" and security requires "hands-on" experience, he said.

Some certifications are helpful for specific uses, such as Certified Ethical Hacker, or Certified Incident Responder, he said.

Job satisfaction factors for cybersecurity pros include financial compensation (32%), a corporate culture that values cybersecurity (24%), business's commitment to security (23%), and working alongside a skilled security team (22%).

Even so, most of the security pros surveyed are satisfied with their choice of field: 79% strongly agree or agree that they're happy being a security professional.  And nearly 80% of them began their security careers on the IT side of the house, the report says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jenny3031
50%
50%
jenny3031,
User Rank: Apprentice
10/6/2016 | 6:14:09 AM
Great news
Hello! This is my first visit here, but I found so many interesting and helpful information here. I like that you offer here so many interesting articles. I will recommend your site to my friends. I am sure they will like it. Please keep it good posting. 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .