ISACA global study reveals major talent gap in cybersecurity teams

AT A TIME when cybersecurity challenges are growing, teams can’t afford to be understaffed. But they are.

A recent global ISACA study surveying 2,051 respondents found that 19 percent of cybersecurity professionals said their teams were significantly understaffed, and a further 47 percent said they felt their teams were somewhat understaffed. That sums up to 66 percent — and is quite discomforting.

Although the lack of resources is sometimes to blame for understaffed cybersecurity teams, the study found that 57 percent of organizations had an open position, and a majority couldn’t find suitable candidates even after waiting for months — sometimes as much as six months.

However, it was reassuring to find that the talent gap was at the lower end of the corporate ladder.

Executive or c-level cybersecurity professionals, as well as senior manager and director-grade roles, were not vacant. The bulk of vacancies were in the individual contributor category or basic managerial category.

Obviously, the demand for future hiring lies in these categories as well, with 78 percent of respondents expecting to aggressively hire for technical cybersecurity professionals in the individual contributor grade and 47 percent expecting to aggressively hire for non-technical cybersecurity professionals in the same grade.

Experience over education in cybersecurity?

The ISACA study raised an interesting question about the need for education in cybersecurity.

Given the number of open positions, the report asked survey respondents if they felt applicants were well qualified. Thirty-three percent said less than 25 percent of the candidates were qualified for the job they applied for while 37 percent — slightly more optimistic — said that between 26 and 50 percent of the candidates that applied were qualified.

Speaking of qualifications, when asked if a university degree provided evidence of an applicant being qualified, 46 percent said they ‘neither agree nor disagree’, 21 percent said they ‘disagree’, and 7 percent said they ‘strongly disagree’.

And yet, 55 percent reported that a university degree was something their organization typically required when hiring cybersecurity professionals. In fact, 20 percent of respondents said that a university degree was very important to them when hiring cybersecurity talent.

Drilling down into the skills gaps inside cybersecurity teams, the top three challenges were soft skills, IT knowledge and skills gap and insufficient business insights. Truth be told, all of these could be acquired in university.

Experience (both, technical experience as well as hands-on training), on the other hand, ranked low when evaluating skills gaps in cybersecurity professionals — although technical experience was cited as most important when hiring candidates by 73 percent of respondents, and 81 percent found hands-on training either very important or somewhat important.

Overall, the ISACA study didn’t conclusively say that experience was more important than a university degree when it comes to cybersecurity — but the consensus slowly seems to be building in favor of experience (and hands-on training).

Given the learnings from the study, ISACA has four simple recommendations for organizations looking to ensure they have access to the talent they need to defend their organizations against bad actors in cyberspace:

• Invest in existing employees through both financial incentives and training
• Offer a pipeline to cybersecurity positions for current non-cyber staff
• Look to nontraditional recruiting, such as apprenticeships, government programs or hosting a cybersecurity competition, and
• Waive university degree requirements in recognition of the nontraditional paths to cybersecurity careers.

Following these recommendations is a good idea, not just for companies in the Asia Pacific, but anywhere in the world, in any industry, as cyber attackers are getting more sophisticated and exploiting any and every opportunity they can.

---

---

---

---