ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Organizations Must Be Smart, Strategic in Pursuit of Cyber Talent

Organizations Must Be Smart, Strategic in Pursuit of Cyber Talent

Eddie Schwartz, EVP Cyber Services, Dark Matter, LLC, and ISACA Board Director
| Posted at 7:21 AM by ISACA News | Category: Security | Permalink | Email this Post | Comments (4)

Organizations are understandably concerned about how difficult and time consuming it is to find quality cyber security talent. While the fundamental causes of this skills crisis will take time and sustained focus to effectively address, there are steps that organizations can take in the short term to better position themselves to deal with their challenges.

In ISACA’s State of Cyber Security 2017 study, 37 percent of respondents say less than one in four applicants are qualified for jobs, while only 59 percent of organizations receive at least five applicants for open cyber security positions. Consider a Glassdoor survey that found most corporate job openings draw 250 applicants, and the scarcity of qualified cyber security professionals becomes all the more striking.

Until the pipeline of qualified applicants can be more adequately filled, organizations will need to be creative, resourceful and resolute in their pursuit of cyber security talent.

That includes placing heavy emphasis on grooming and retaining existing talent through a defined program of training and skills refresh. Investing in professional development and technical upskilling are among the ways to incentivize employees to stay, and job rotations – which round out employees’ skill sets and ward off the frustration that comes with repetitive tasks – can be another effective tactic. These retention efforts are critically important, as allowing cyber security professionals to walk out the door, given how difficult they are to replace, often becomes a crippling setback.

Hiring from within is another approach that is a necessity for many organizations. Given the shortage of qualified cyber security professionals, grooming employees with related skills – such as application developers, data analysts, and network specialists – is a sensible and effective way to fill crucial gaps. Many employees with these tangential skills are interested in learning more about cyber security and applying their skills in new areas, so this approach can be a win-win scenario for professionals and their organizations.

Among the study’s respondents, 55 percent noted practical, hands-on experience as the most important security qualification for cyber security candidates. The ability to demonstrate those capabilities – such as though ISACA’s Cybersecurity Nexus Practitioner (CSXP) certification – provides measureable credibility to employers, but there are additional considerations that should not be overlooked when pursuing cyber security talent.

The cyber security community is relatively small and tight-knit. In a landscape where hiring talented cyber professionals is so difficult, drawing upon industry contacts and personal networks for recommendations can be essential to both find and vet quality candidates. Identifying the right educational backgrounds also should not be discounted, as many hard-to-find skills, such as malware analysis or management of a security program, would benefit from computer science or business degrees, respectively.

The State of Cyber Security Study 2017 shows the immense amount of long-term work ahead, but organizations dealing with urgent cyber security threats now must be proactive and strategic to make the best of a challenging workforce landscape.


Astonishing Data and Very good recommendations

The data about the availability of cyber security candidates for employment is incredibly astonishing. A lot of catch up has to be done by professionals in this regard. And institutions too have to adapt at how to recruit / train quality cyber security personnel. Thanks for the wonderful article
Ankur Maniar at 2/14/2017 12:28 AM

Re: Organizations Must Be Smart, Strategic in Pursuit of Cyber Talent

I'm still of the believe that we lack well qualified security experts and can keep up with the fast changing threats we face today
Chidi292 at 2/15/2017 11:23 AM

Certs don't get you the job

I have earned many IT certs over the last 20 years of my career, CISSP and CISA included.  I want to do IT auditing and risk mgmt in this last 15-20 years of my career.    I am being told I don't have enough "security" or "Audit" experience despite 25 years of IT network, programming, operations and security experience. Some days I think its just plain old age discrimination. (I'm 53 yrs old.)    Most of these companies do NOT want to pay the salaries demanded by seasoned IT people like me who are now venturing into IT Security.    I make $123,000 per year but companies only have 60-90K in mind for their security and positions.    I am having a tough time breaking into a security / audit management role and even a simple security analyst role, so it's hard to believe there is a REAL shortage.    My guess is that these companies want cheap (young) labor with security certs.    
AngelFantom at 2/15/2017 12:11 PM

Build Local Capacity

Building local capacity is indeed a viable and effective solution in dealing with the shortage of ICT security professionals; local staff have an understanding of the risks the institution is faced with and just need the skills to respond to them. Building local capacity as the author has stated also serves to motivate employees by empowering them with the needed skills and providing support for career and professional progression. The biggest problem is that institutions want to hire fully baked professionals instead of investing in their local resources. Very insightful article.
Christopher070 at 2/20/2017 4:16 AM
You must be logged in and a member to post a comment to this blog.