It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job

  /     /     /  
Publicated : 23/11/2024   Category : security


It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job


Meanwhile, organizations are looking at unconventional ways to staff up and train their workforce as technical expertise gets even harder to find.



As the demand for cybersecurity professionals continues to rise against the backdrop of a job candidate shortage, employers say only half of applicants (or fewer) actually meet the qualifications.
The new data from industry association ISACA also shows that finding and hiring qualified cybersecurity pros takes longer now: 32% of organizations say filling a position takes six months, up from 26% last year, and more than 60% of organizations say positions sit vacant for at least three months, up from 55% last year.
This steadily widening cybersecurity talent gap has forced organizations to consider nontraditional methods of hiring, retention, and training their workforce. The biggest deficit of talent they need to hire is on the technical side, a trend highlighted by both
ISACAs study
 and 
one from Tripwire
, both released last week at the RSA Conference in San Francisco.
Theres a drought of technical people, and its been compounding over the years, says Frank Downs, director of ISACAs cybersecurity practice. There arent enough cybersecurity pros, period, and there really arent enough technical cybersecurity professionals ... we need people who can sit down and perform the technical tasks, he says.
Among the high-demand positions: security engineer, SOC analyst, penetration tester, and cloud security engineer, according to security experts with knowledge of the job market. I no longer need a firewall engineer: I need a cloud security engineer, says Lamar Bailey, senior director of security research & development at Tripwire.
Some 80% of the nearly 340 IT security pros surveyed by Tripwire say its getting harder to find skilled people to fill their open job positions. Plus, the necessary skillsets are changing, as security evolves to tackle the blend of enterprise, cloud, virtual, DevOps, and other technologies. Some 85% of them say their security teams are understaffed; 70% of the organizations in ISACAs survey said the same.
Keeping positions filled also is getting harder. Skilled cybersecurity pros unsurprisingly are often lured away from their jobs for higher pay or promotions, so its difficult to keep a solid security team in place for long. Theres a cannibalization of talent. Once its [talent] acquired, there are concerns around retention as other companies start reaching out and luring over those staffers, ISACAs Downs says.
Organizations also are training up members of their existing staff to meet the new demands. And whether [theyre] training [an existing employee] or hiring somebody else, and outsourcing the firewall job to a third party ... they dont have enough people to run everything, and were seeing core products getting ignored—such as vulnerability assessments, Bailey says.
Some organizations running vulnerability scans, for example, are not necessarily following through and applying the fixes and patches those tests find. Theyre spreading themselves too thinly and struggle to prioritize patches, he says.
Thats where technical staffers come in, he says, to help analyze the actual risks to their networks in order to prioritize the fixes for specific flaws and machines.
But training up existing security staffers isnt always so simple, especially for more advanced technical roles. If youre looking at a mid-level security pro who wants to get into higher-level [technical role], its an investment of a couple of years. Its not like a five-day SANS class, Bailey explains. Firewall-1 to cloud architect is going to be a lot of training, for instance, he says. And for some organizations, its difficult to justify this type of training budget-wise, he adds.
While cybersecurity programs are growing on the higher education side, many fail when it comes to providing potential cyber professionals with the necessary—and most in-demand—technical skills. The problem is a lot of academic organizations dont necessarily teach all aspects of security that make an individual technically proficient, Downs says. Academic organizations are still playing catch-up.
Still missing from some programs are hands-on malware analysis, for firewall configuration, for example, he says.
Ralph Sita, co-founder and CEO of online training firm Cybrary, says cybersecurity education and training doesnt necessarily need to follow the traditional academic trajectory. You dont need to treat getting into this industry through an educational avenue like high school, college, and boom: you get a job, says Sita. You have to treat it like a trade: like an auto mechanic, HVAC technician, or a plumber with hands-on skills training, he says. You have to touch and use [security] tools.
Purple Unicorns
In some cases, the next security technician at an organization could be an employee on the non-technical side of the house. Tripwires Bailey says some existing positions more naturally can transition to cybersecurity jobs—accountants and legal experts, for example. Some of my best [quality assurance] engineers are accountants because they are detail-oriented and good with numbers, Bailey says.
ISACAs Downs, also an adjunct cybersecurity professor at the University of Maryland-Baltimore (UMBC), says the average demographic of a cybersecurity job candidate is someone changing professions. One of the students in his cybersecurity Masters program last year was a former middle school teacher. A lot of students have very transferrable [skills]. If they have tenacity, that will transition really well, he says, noting that the teacher in his class was his star student even among veteran IT pros looking to move to cybersecurity careers.
And while the hardest shoes to fill are technical ones in cybersecurity, the greatest missing skill for existing cybersecurity staffers is business acumen (nearly 50%), according to ISACAs report. Some 34% of organizations say technical know-how is the biggest missing skill among their security teams.
They want more technical people, and theyre now getting more choosy and want technical people who understand the business and can communicate that to the stakeholders, Downs says. They want a purple unicorn.
The good news, though, is theres a subtle yet slow shift under way in loosening some of the overly ambitious job requirements for entry-level cybersecurity positions, according to Cybrarys Sita. Its out of necessity to fill the jobs since theres the Catch-22 of a security newbie not having all of the experience and certifications many of the entry-level jobs call for.
I cant ask for an entry-level network engineer with five years experience anymore, he says.
Meanwhile, large tech and security firms such as IBM and Palo Alto Networks are offering their security teams training on Cybrarys platform as a way to grow and retain their security staff as well as to help advance candidate prospects with the requisite training for employment.
Related Content:
2018 State of Cyber Workforce
Your Employees Want to Learn. How Should You Teach Them?
Death of the Tier 1 SOC Analyst
Kevin Durant Effect: What Skilled Cybersecurity Pros Want
 
 
 
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job