One in three cybersecurity job openings go begging, survey finds

"The main problem of obtaining key talent in the realm of cyber security stems from a lack of qualified applicants."
Written by Joe McKendrick, Contributing Writer

If you're a hiring manager, you know how many resumes come flooding in every time a job is posted. That's why the resume-screening process is now automated to keyword searches, just to help sift through the volumes of documents.

Photo: Michael Krigsman

However, if you're hiring for cybersecurity talent, you don't have to worry about such inundation. In fact, if you're like most organizations, you're lucky if at least five resumes come trickling in.

The bottom line is that there simply aren't enough qualified people available to provide data security in an era when information insecurity reigns. Today's cybersecurity skills gap, in fact, leaves close to one-third of organizations without the talent they need for periods of six months or longer -- if the right candidate even shows up at all, ever.

That's one of the findings of a recent survey of 633 IT security professionals, conducted and released by ISACA, which finds that demand for qualified cyber security professionals continues to outstrip supply.

"The main problem of obtaining key talent in the realm of cyber security stems from a lack of qualified applicants," the survey report's authors state. A majority enterprise leaders fear they are ill-equipped to address cybersecurity threats head-on. Fifty-nine percent of surveyed organizations say they receive at least five applications for each cybersecurity opening, and only 13 percent receive 20 or more. In contrast, studies show most corporate job openings result in 60 to 250 applicants.

In addition, 37 percent of respondents say fewer than one in four candidates actually have the qualifications employers need to keep companies secure.

The qualities enterprises seek for cybersecurity positions include the following:

  • Hand-on experience (55%)
  • Certifications (12%)
  • Formal education (10%)
  • Specific training (9%)

The experience part is paradoxical, of course, since someone somewhere has to bet their infrastructure on an inexperienced but eager candidate willing to learn. There are some choice certifications that make the difference, led by the Certified Information Systems Security Professional (CISSP) certification, sought by 27 percent of security managers.

The survey report's authors recommend nurturing talent from within, to invest in offering support for training and certifications to current staff members. The advantage is these individuals already understand the business, and who owns what line of business.

At least 26 percent of security professionals say they have positions that have been open for more than six months, and another six percent say they have positions they haven't been able to fill. In total, then, close to one-third of companies, 32 percent, report that it either takes at least six months or longer to fill cybersecurity and information security positions, if at all.

It's a problem with qualifications seen in the labor market -- there aren't enough. Most job applicants do not have the hands-on experience or the certifications needed to combat today's corporate hackers, ISACA's report found. At least 25% of respondents say today's cyber security candidates are lacking in technical skills, while 45% of respondents don't believe most applicants understand the business of cyber security.

A majority of respondents, 69%, indicate that their organizations typically require a security certification for open positions and most view certifications as equally, if not more, important as formal education.

Here are some of the skills companies are currently seeking in cybersecurity, based on a perusal of Monster.com listings:

Cyber security analyst, telecommunications company: "Experience in threat detection technologies including: intrusion detection and prevention systems, security incident and event management technology, and network packet analyzers. Experience with security data analytics, endpoint protection, malware analysis, and forensics tools. Ability to analyze large data sets and unstructured data for the purpose of identifying trends and anomalies indicative of malicious activity. Knowledge of current security trends, threats, and techniques. Bachelor's degree in information assurance, information systems, computer science, IT, or commensurate selection criteria experience."

Senior cyber security architect, health insurer: "Bachelor's degree in area of specialty or related experience in the healthcare IT industry is required. Minimum of six years of experience in application penetration testing, architecting application solutions, application security, infrastructure security. Familiar with architecture frameworks. Knowledge in IPS, DLP, Firewalls, SIEM, and security assessment tools/methodology -- network, systems and applications."

Cyber security analyst, federal government agency: "Possess a CompTIA Security with Continuing Education (CE) certification. Experience working with government leaders at all levels.Strong communication skills (both written and verbal. Knowledge of hacker tactics, techniques, and procedures Be able to conduct malware analysis. Hands-on experience with various static and dynamic malware analysis tools Knowledge of advanced threat actor tactics, techniques and procedures Understanding of software exploits."

Editorial standards