- Evolving cybersecurity threats pose dangers to numerous industries, including healthcare, but a recent survey indicates that there is a cybersecurity skills gap that leaves entities exposed for months at a time.
Over one-third of respondents – 37 percent – reported that fewer than 1 in 4 candidates have the qualifications employers need to keep companies secure, according to ISACA’s State of Cyber Security 2017 report.
For the research, ISACA took the responses from 633 individuals whose primary job function is cybersecurity or information security. The survey specifically targeted managers and practitioners who have cybersecurity job responsibilities, explained the report summary.
The survey also found that 59 percent of surveyed organizations receive at least five applications for each cybersecurity opening, with only 13 percent receiving 20 or more.
“Though the field of cyber security is still relatively young, demand continues to skyrocket and will only continue to grow in the coming years,” ISACA board chair Christos Dimitriadis said in a statement. “As enterprises invest more resources to protect data, the challenge they face is finding top-flight security practitioners who have the skills needed to do the job. When positions go unfilled, organizations have a higher exposure to potential cyberattacks. It’s a race against the clock.”
Another key takeaway from the survey was that more than one in four companies find that the time to fill priority cybersecurity and information security positions can be six months or longer.
Hiring managers’ expectations may also be changing as they look for the most applicable candidates. For example, 69 of respondents said that their organizations typically require a security certification for open positions, while 25 percent reported that cybersecurity candidates lack the necessary technical skills.
Furthermore, 45 of those surveyed said they do not find that the majority of applicants understand the business of cybersecurity.
References and personal endorsements were also cited as the least important attributes for a potential cybersecurity candidate, according to the report. Formal education was also unimportant when compared to other areas, as it was barely rated higher than personal endorsements and recommendations.
Report authors noted though that finding a qualified candidate with the necessary experience could be difficult.
“The lack of a practical experience and hands-on capability in the field of cyber security presents a quagmire for most hiring managers in an enterprise,” wrote ISACA researchers. “Although some people within the industry may view cyber security as a longstanding, entrenched career field, others view the field as relatively young.”
Approximately one-quarter of respondents – 27 percent – added that they are unable to fill open cybersecurity positions in their companies. Another 14 percent of those surveyd said they also do not know if their enterprises could fill these positions or not.
For specific security certifications, 27 percent of respondents said that the Certified Information Systems Security Professional (CISSP) certification was the most relevant certification to their cybersecurity job openings. The Offensive Security Certified Professional (OSCP) certification was listed as the least relevant certification to respondent enterprise security team needs.
“An appropriate hiring strategy that emphasizes performance-based certifications that require practical applicant cyber security skills is key to successfully filling open positions,” report authors concluded. “Certifications, which can be garnered in less time than a formal degree, have become a prevailing consideration when filling an open cyber security position.”
These survey findings are similar to ones released earlier this month in the Indeed Cybersecurity Skills Gap Report.
Indeed found that there is a global cybersecurity skills gap, with Israel, Ireland, and the UK having the highest employer demand for cybersecurity talent.
Network security specialists are the most sought after skill that organizations search for, according to the report found, with application security listed as the second most sought after area for US employers.
“When we compare clicks from job seekers to openings for cybersecurity roles posted by employers we can see just how serious the talent shortage gets, and the scale of the risk it represents for organizations,” the report’s authors wrote.