Sobering news on the cybersecurity hiring front: More than 20% of organizations get fewer than five applicants for an open security job and more than half of all positions (55%) take at least three months to fill with a qualified candidate.
Of those who do apply, fewer than 25% are actually qualified for the posted job, according to a new ISACA report released at last week's RSA Conference in San Francisco.
It won't surprise anyone in IT management to learn that it's extremely challenging to fill open jobs in information security. But the ISACA's report on the state of security hiring quantifies those challenges more starkly.
The source of the problem doesn't appear to be money, says Eddie Schwartz, an ISACA director and also EVP of cyber services at security vendor DarkMatter. "We continue to see a lack of qualified candidates, even though companies are offering extremely competitive salaries, higher than other IT jobs," Schwartz says.
The report, generated from an email survey to ISACA members around the world, also honed in on an infosec applicant's most important qualifications, which are apparently less about their training and more about the hands-on, practical experience they bring to the table.
"What we're going to see is a continued departure from a bunch of letters after people's names and verifying that they have the skills needed," Schwartz says, referring to acronyms like CISSP, and others. So rather than just writing code and answering rudimentary security questions, infosec candidates can expect to be in dropped into live-fire scenarios that reflect their levels of experience.
"If you're an apprentice, they'd be more rudimentary, but if you're an expert you're going to be asked to work in more advanced scenarios," Schwartz says.
In the last 20 years, many employers have taken the approach of bringing on a cybersecurity professional as a generalist, then encouraging him or her to add certifications and climb the ladder as their experience and knowledge grew, Schwartz says. Others tried to draw security talent from their organization's pool of software coders. But employers typically haven't done enough "shepherding" of security talent, cultivating skills internally, and training people to replace their bosses, he adds.
More recently, the industry started in the direction of creating apprentices, journeymen, and masters of infosec. He points to ISACA's own CSX certification program as an example of that hierarchical progression.
But clearly, the security talent-nurturing equation needs a refresh.
ISACA and employers have work to do with educators and their computer engineering and IT management programs, Schwartz adds. And employers need to start embracing how Millennial and Gen Y professionals work and learn.
"They prefer just-in-time training and ratings like the ones in gaming systems," Schwartz says. "They're all about how they can continually gain knowledge and how they rank relative to their peers."
ISACA is starting to see corporations incentivize Millennials to take part in team-based training, for example, with one goal to improve their ratings, he adds.
- 32% of respondents say it takes six months or more to fill their security positions.
- Only 13% report receiving 20 or more applications for a security job.
- 13% of respondents cite referrals or personal endorsements as the most important attribute for candidates; 12%, certifications, followed by formal education (10%), and specific training (9%).
- How Businesses, Employees Can Navigate The Security Hiring Process
- You Can't Hire Your Way Out Of A Skills Shortage ... Yet
- 'Kevin Durant Effect': What Skilled Cybersecurity Pros Want
- Why Cybersecurity Certifications Matter -- Or Not