Skip to content

How to Fill the Cyber Talent Gap? Get Real

Results from the latest ISACA survey point to a key reason for chronic understaffing. Hint: Enterprise leaders and HR may be promoting a lopsided notion about “entry-level.”

Data Dive

Even as colleges and trade schools churn out more and more grads in the field, hundreds of thousands of cybersecurity positions are going unfilled, with many companies suffering understaffing while they drag out the hiring process. It’s hard to fathom what’s really going on here, but maybe it’s time for companies to think about how they might be contributing to the problem.

About 60 percent of cybersecurity execs say their companies are understaffed, according to ISACA (the Information Systems Audit and Control Association) in its ninth annual State of Cybersecurity survey of more than 2,000 business leaders worldwide. In the U.S. alone, about 570,000 cybersecurity positions are unfilled, according to CyberSeek.

The positions remain open even though almost 40 percent of respondents say their organizations are experiencing more cyberattacks than a year earlier, and 31 percent say the amount of attacks remained the same.

Boost your workplace reputation – monitor, manage, and improve your employees’ digital experiences at scale, in real time, from one platform.

Jonathan Brandt, director of professional practices and innovation at ISACA, described the huge number of openings as a “self-inflicted wound” by companies.

To dive deeper into the problem of unfilled positions, ISACA for the first time asked respondents about whether they were seeking workers for experienced positions or entry-level jobs.

About 50 percent said they had openings for experience-level jobs, while 21 percent were seeking to fill entry-level positions.

Brandt was astonished that 38 percent of respondents said it took three to six months to fill an entry-level position, despite the fact that universities and technical programs have seen an increasing number of cybersecurity graduates.

“Are you kidding me?” he says. “What exactly is the real issue?”

The ‘sticker shock’ of entry-level hires

Brandt believes a key problem in cyber hiring today relates to a major lopsided notion promulgated by enterprise leaders and their human resources personnel. The misconception? “Entry-level positions,” he suspects, “are not really entry-level.”

Entry-level positions are not really entry-level.

Jonathan Brandt, director of professional practices and innovation, ISACA

He believes that because starting cybersecurity salaries tend to be higher, hiring managers may be expecting too much in terms of qualifications when they interview candidates for entry-level jobs. “It’s the sticker shock of what it costs to hire someone,” he says. That may lead some companies to hold out for a “unicorn” to justify the higher salary.

The sky-high expectations may be why only 26 percent of the survey respondents say they believed at least half of the applicants were well qualified for the positions they sought.

Where applicants who were recent university graduates fell short was in skills such as communication, critical thinking and teamwork, 68 percent of respondents said. In comparison, only 54 percent said recent graduates lacked the security controls implementation skills they were seeking.

Not only are experienced cybersecurity professionals hard to find, they’re also hard to keep, according to the survey. About 56 percent said they had difficulty retaining qualified workers.

Competing via benefits

Making hiring and retention more difficult is a move by companies to trim benefits.

While 65% of employers reimburse certification fees, that number fell one percentage point from the year before. Those offering recruitment bonuses declined two percentage points, and those paying for university tuition dropped five percentage points to 28 percent.

ISACA points out that shrinking benefits is widespread among industries, not something specific to cybersecurity, because of uncertainty about economic conditions.

Even so, Brandt sees a prime opportunity for companies to distinguish themselves from rivals. If a firm wants the best talent and can afford it, he says, it can say, “We can afford to throw in a little bit more money.”

Other ways a company can compensate for trimming costly benefits is to be more flexible with return-to-work mandates. About 28 percent of respondents said limits on remote working were the likely cause for leaving a job, up four percentage points from a year earlier.

Companies that are understaffed need to be a little bit more accommodating, especially when it comes to non-monetary incentives, Brandt says.

[Read also: Why CEOs and CIOs are turning to metaverse meetings and other virtual venues to invigorate worker morale]

For now, training non-security staff to move into security roles continues to be the main way to handle the staffing shortages, according to the ISACA survey. Fewer companies reported bringing in contractors and consultants to fill gaps compared to last year.

The DEX edge

One way companies could have an edge in hiring top cyber talent or luring non-security staff over to security is by offering digital employee experience (DEX) solutions that improve employees’ interaction with the digital tools they use in their jobs. DEX solutions monitor devices’ performance at the endpoint to track, among other things, CPU utilization, throughput, and free disk space, and then work to increase efficiency of the technology. The goal is to reduce employees’ frustration and dissatisfaction with their workplace.

[Read also: Worker distraction is on the rise – digital employee experience (DEX) platforms can help]

Companies that become known for their DEX programs may be able to hire top talent away from rivals and/or hire from within if current staff know there won’t be technological obstacles.

The DEX push is new enough that the ISACA survey didn’t include any specific DEX question, but Brandt says the association is conducting research to see what impact it may have. Implementation varies among companies, which makes comparisons difficult, but anything that helps smooth the use of technology at work is bound to improve morale and improve security.

Cybersecurity procedures and systems, “whether we want to admit or not, are inconvenient” for some workers who are looking for the path of least resistance, Brandt says.

Employees may be lax in changing passwords regularly, look for workarounds to avoid some security procedures, or use unauthorized devices they find more convenient. A DEX emphasis that leads to easier use of technology may reduce such actions.

[Read also: Why workers violate cybersecurity policies – it’s not what you think]

The important story in the next few years will be the attempt to fill the many open entry-level positions, Brandt predicts. Companies in regions away from high-cost areas such as the mid-Atlantic corridor may be able to entice candidates at lower starting salaries in exchange for requiring fewer qualifications.

“Everybody needs to start somewhere,” Brandt says.

Bruce Rule

Bruce Rule is a veteran editor, reporter and public-speaking coach with more than 30 years of experience. He worked for more than 19 years as a business editor for Bloomberg, where he covered a wide range of topics of interest to Wall Street, including technology, company events, market news, regulations and policymaking.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.