Even as colleges and trade schools churn out more and more grads in the field, hundreds of thousands of cybersecurity positions are going unfilled, with many companies suffering understaffing while they drag out the hiring process. It’s hard to fathom what’s really going on here, but maybe it’s time for companies to think about how they might be contributing to the problem.
About 60 percent of cybersecurity execs say their companies are understaffed, according to ISACA (the Information Systems Audit and Control Association) in its ninth annual State of Cybersecurity survey of more than 2,000 business leaders worldwide. In the U.S. alone, about 570,000 cybersecurity positions are unfilled, according to CyberSeek.
The positions remain open even though almost 40 percent of respondents say their organizations are experiencing more cyberattacks than a year earlier, and 31 percent say the amount of attacks remained the same.
Jonathan Brandt, director of professional practices and innovation at ISACA, described the huge number of openings as a “self-inflicted wound” by companies.
To dive deeper into the problem of unfilled positions, ISACA for the first time asked respondents about whether they were seeking workers for experienced positions or entry-level jobs.
About 50 percent said they had openings for experience-level jobs, while 21 percent were seeking to fill entry-level positions.
Brandt was astonished that 38 percent of respondents said it took three to six months to fill an entry-level position, despite the fact that universities and technical programs have seen an increasing number of cybersecurity graduates.
“Are you kidding me?” he says. “What exactly is the real issue?”
The ‘sticker shock’ of entry-level hires
Brandt believes a key problem in cyber hiring today relates to a major lopsided notion promulgated by enterprise leaders and their human resources personnel. The misconception? “Entry-level positions,” he suspects, “are not really entry-level.”
Entry-level positions are not really entry-level.
He believes that because starting cybersecurity salaries tend to be higher, hiring managers may be expecting too much in terms of qualifications when they interview candidates for entry-level jobs. “It’s the sticker shock of what it costs to hire someone,” he says. That may lead some companies to hold out for a “unicorn” to justify the higher salary.
The sky-high expectations may be why only 26 percent of the survey respondents say they believed at least half of the applicants were well qualified for the positions they sought.
Where applicants who were recent university graduates fell short was in skills such as communication, critical thinking and teamwork, 68 percent of respondents said. In comparison, only 54 percent said recent graduates lacked the security controls implementation skills they were seeking.
Not only are experienced cybersecurity professionals hard to find, they’re also hard to keep, according to the survey. About 56 percent said they had difficulty retaining qualified workers.
Competing via benefits
Making hiring and retention more difficult is a move by companies to trim benefits.
While 65% of employers reimburse certification fees, that number fell one percentage point from the year before. Those offering recruitment bonuses declined two percentage points, and those paying for university tuition dropped five percentage points to 28 percent.
ISACA points out that shrinking benefits is widespread among industries, not something specific to cybersecurity, because of uncertainty about economic conditions.
Even so, Brandt sees a prime opportunity for companies to distinguish themselves from rivals. If a firm wants the best talent and can afford it, he says, it can say, “We can afford to throw in a little bit more money.”
Other ways a company can compensate for trimming costly benefits is to be more flexible with return-to-work mandates. About 28 percent of respondents said limits on remote working were the likely cause for leaving a job, up four percentage points from a year earlier.
Companies that are understaffed need to be a little bit more accommodating, especially when it comes to non-monetary incentives, Brandt says.
For now, training non-security staff to move into security roles continues to be the main way to handle the staffing shortages, according to the ISACA survey. Fewer companies reported bringing in contractors and consultants to fill gaps compared to last year.
The DEX edge
One way companies could have an edge in hiring top cyber talent or luring non-security staff over to security is by offering digital employee experience (DEX) solutions that improve employees’ interaction with the digital tools they use in their jobs. DEX solutions monitor devices’ performance at the endpoint to track, among other things, CPU utilization, throughput, and free disk space, and then work to increase efficiency of the technology. The goal is to reduce employees’ frustration and dissatisfaction with their workplace.
Companies that become known for their DEX programs may be able to hire top talent away from rivals and/or hire from within if current staff know there won’t be technological obstacles.
The DEX push is new enough that the ISACA survey didn’t include any specific DEX question, but Brandt says the association is conducting research to see what impact it may have. Implementation varies among companies, which makes comparisons difficult, but anything that helps smooth the use of technology at work is bound to improve morale and improve security.
Cybersecurity procedures and systems, “whether we want to admit or not, are inconvenient” for some workers who are looking for the path of least resistance, Brandt says.
Employees may be lax in changing passwords regularly, look for workarounds to avoid some security procedures, or use unauthorized devices they find more convenient. A DEX emphasis that leads to easier use of technology may reduce such actions.
The important story in the next few years will be the attempt to fill the many open entry-level positions, Brandt predicts. Companies in regions away from high-cost areas such as the mid-Atlantic corridor may be able to entice candidates at lower starting salaries in exchange for requiring fewer qualifications.
“Everybody needs to start somewhere,” Brandt says.