Sophisticated cyber security defenses are in high demand as more organizations now view the real likelihood of an attack.
That being said, understanding it is one thing, but doing something about it is quite another as a majority of survey respondents admit they are ill-equipped to address these threats head-on.
Just 59 percent of organizations said they receive at least five applications for each cyber security opening, and only 13 percent receive 20 or more, according to a security workforce study by ISACA’s Cybersecurity Nexus (CSX) released at RSA Conference 2017.
In contrast, studies show most corporate job openings result in 60 to 250 applicants.
Compounding the problem, ISACA’s State of Cybersecurity 2017 found 37 percent of respondents said fewer than 1 in 4 candidates have the qualifications employers need to keep companies secure.
More than 1 in 4 companies report the time to fill priority cyber security and information security positions can take six months or longer. In Europe, almost 33 percent of cyber security job openings remain unfilled.
Most job applicants do not have the hands-on experience or the certifications needed to combat today’s corporate hackers, ISACA’s report found.
ISACA highlighted where hiring managers’ expectations are shifting most as they consider candidates for open cyber security positions:
• 55 percent of respondents report practical, hands-on experience is the most important security qualification
• 25 percent of respondents said today’s security candidates are lacking in technical skills
• 45 percent of respondents don’t believe most applicants understand the business of cyber security
• 69 percent of respondents indicate their organizations typically require a security certification for open positions and most view certifications as equally, if not more, important as formal education.
ISACA offered five recommendations to help employers find, assess and retain qualified cyber security talent:
1. Invest in performance-based mechanisms for hiring and retention processes.
2. Create a culture of talent maximization to retain the staff you have. Even when budgets are tight, there are things that can happen that don’t impact the bottom line: Alternative work arrangements, investment in personnel growth and technical competency, and job rotation to help round out skills and minimize frustration with repetitive (but necessary) tasks.
3. Groom employees with tangential skills — such as application specialists and network specialists — to move into cyber security positions. They are likely to be highly incented to do so and it can help fill the gap in the long term. Having a path in the organization to do this can be a solid investment, as it can be cheaper to fill those gaps and help support employee morale.
4. Engage with and cultivate students and career changers. An outreach program to a university or an internship program can help with this.
5. Automate. Where security operational tasks can end up automated, it can decrease the overall burden on staff and thereby help make best use of staff that an organization already has.