Even as colleges and trade schools churn out more and more grads in the field, hundreds of thousands of cybersecurity positions are going unfilled, with many companies suffering understaffing while they drag out the hiring process. It’s hard to fathom what’s really going on here, but maybe it’s time for companies to think about how they might be contributing to the problem.
About 60% of cybersecurity execs say their companies are understaffed, according to ISACA (the Information Systems Audit and Control Association) in its ninth annual State of Cybersecurity survey of more than 2,000 business leaders worldwide. In the U.S. alone, more than 450,000 cybersecurity positions are unfilled, according to CyberSeek.
The positions remain open even though almost 40 percent of respondents say their organizations are experiencing more cyberattacks than a year earlier, and 31% say the amount of attacks remained the same.
Jonathan Brandt, director of professional practices and innovation at ISACA, described the huge number of openings as a “self-inflicted wound” by companies.
To dive deeper into the problem of unfilled positions, ISACA for the first time asked respondents about whether they were seeking workers for experienced positions or entry-level jobs.
About 50% said they had openings for experience-level jobs, while 21% were seeking to fill entry-level positions.
Brandt was astonished that 38% of respondents said it took three to six months to fill an entry-level position, despite the fact that universities and technical programs have seen an increasing number of cybersecurity graduates.
“Are you kidding me?” he says. “What exactly is the real issue?”
The ‘sticker shock’ of entry-level hires
Brandt believes a key problem in cyber hiring today relates to a major lopsided notion promulgated by enterprise leaders and their human resources personnel. The misconception? “Entry-level positions,” he suspects, “are not really entry-level.”
He believes that because starting cybersecurity salaries tend to be higher, hiring managers may be expecting too much in terms of qualifications when they interview candidates for entry-level jobs. “It’s the sticker shock of what it costs to hire someone,” he says. That may lead some companies to hold out for a “unicorn” to justify the higher salary.
The sky-high expectations may be why only 26% of the survey respondents say they believed at least half of the applicants were well qualified for the positions they sought. Where applicants who were recent university graduates fell short was in skills such as communication, critical thinking and teamwork, 68% of respondents said. In comparison, only 54% said recent graduates lacked the security controls implementation skills they were seeking.
Not only are experienced cybersecurity professionals hard to find, they’re also hard to keep, according to the survey. About 56% said they had difficulty retaining qualified workers.
Competing via benefits
Making hiring and retention more difficult is a move by companies to trim benefits. While 65% of employers reimburse certification fees, that number fell one percentage point from the year before. Those offering recruitment bonuses declined two percentage points, and those paying for university tuition dropped five percentage points to 28%.
ISACA points out that shrinking benefits is widespread among industries, not something specific to cybersecurity, because of uncertainty about economic conditions.
Even so, Brandt sees a prime opportunity for companies to distinguish themselves from rivals. If a firm wants the best talent and can afford it, he says, it can say, “We can afford to throw in a little bit more money.”
Other ways a company can compensate for trimming costly benefits is to be more flexible with return-to-work mandates. About 28% of respondents said limits on remote working were the likely cause for leaving a job, up four percentage points from a year earlier.
Companies that are understaffed need to be a little bit more accommodating, especially when it comes to non-monetary incentives, Brandt says.
For now, training non-security staff to move into security roles continues to be the main way to handle the staffing shortages, according to the ISACA survey. Fewer companies reported bringing in contractors and consultants to fill gaps compared to last year.
The DEX edge
One way companies could have an edge in hiring top cyber talent or luring non-security staff over to security is by improving digital employee experience (DEX), which is how employees interact with the digital tools they use in their jobs. A DEX solution monitors devices’ performance at the endpoint to track, among other things, CPU utilization, throughput, and free disk space, and then works to increase efficiencies of the technology. The goal is to reduce employees’ frustration and dissatisfaction with their workplace.
Companies that become known for their DEX programs may be able to hire top talent away from rivals and/or hire from within if current staff know there won’t be technological obstacles.
DEX is new enough that the ISACA survey didn’t include any specific DEX questions, but Brandt says the association is conducting research to see what impact it may have. Implementation varies among companies, which makes comparisons difficult, but anything that helps smooth the use of technology at work is bound to improve employee experience and security.
Cybersecurity procedures and systems, “whether we want to admit or not, are inconvenient” for some workers who are looking for the path of least resistance, Brandt says.
Employees may be lax in changing passwords regularly, look for workarounds to avoid some security procedures, or use unauthorized devices they find more convenient. DEX emphasis that leads to easier use of technology may reduce such actions and lead to better employee engagement.
The important story in the next few years will be the attempt to fill the many open entry-level positions, Brandt predicts. Companies in regions away from high-cost areas such as the mid-Atlantic corridor may be able to entice candidates at lower starting salaries in exchange for requiring fewer qualifications.
“Everybody needs to start somewhere,” Brandt says. Additionally, ISACA recently released the 2024 version of the same report, which helps shed more light on gaps in key skill areas and the effects of AI on cybersecurity professionals.
Learn how to protect your business-critical endpoints and cloud workloads with the Tanium platform.
This article was written by Bruce Rule and originally appeared in Focal Point magazine.