Cyber Skills Shortage May Require Employers to Change Course: Report

The cyber security skills gap is known and documented, and empirically understood by all enterprise security leaders. It was recently quantified by job site Indeed.com, which measured the difference between available positions and market interest in them. A new report from ISACA titled Current Trends in Workforce Development now seeks to understand the shortcomings in the available applicants, and what can be done by enterprises to minimize the effect of skills shortage.

The report is the first released part of ISACA’s State of Cyber Security 2017 survey. 633 ISACA members responded to an online questionnaire, representing more than 20 industries and all five major geographical regions. North America and Eurasia provided 85% of the respondents in almost equal measure. Technology services at 28%, and finance/banking at 23% provided more than half of the total industry sectors.

The effect of the skills shortage is severe, with more than 25% of enterprises taking more than 6 months to fill a security vacancy. Only 59 percent of the organizations say they receive at least five applications for each cyber security opening, and only 13 percent receive 20 or more. This compares to the 60 to 250 applications for the majority of non-security job openings.

The survey finds that the “main problem of obtaining key talent in the realm of cyber security stems from a lack of qualified applicants.” This is a serious issue that goes beyond the trivial chicken and egg explanation. Cyber security is such a rapidly evolving area that new skills are required almost as soon as schools and colleges begin to train for old requirements.

Threat hunting analysts are a prime example. All security technologies generate huge logs. Those logs contain, somewhere, the subtle indications of system compromise. But it requires a human analyst with a particular set of skills to be able to hunt through a myriad of log alerts to be able to detect the few genuine issues from a mass of false positives. 

This is a relatively new development in cyber security. It stems from the rapidly growing use AI and machine-learning algorithms designed to detect anomalies. They work on the basis of a probability score rather than a binary malicious/not malicious decision. A human analyst is required to make the final decision on the probable; and third-party threat-hunting training is in short supply.

Even when trained threat hunters enter the marketplace, they will do so without practical experience. However, more than half (55%) of the respondents report that practical, hands-on experience is the most important cyber security qualification. Employers are simply demanding the impossible: anybody already possessing both qualifications and experience has got that experience by being in employment. It becomes a question of poaching rather than recruiting, with the inevitable result that skills move upwards towards the bigger and better financed enterprises, magnifying the problem for small and medium companies without doing anything to solve the basic problem.

Even within the low number of applicants, 25% of respondents say today’s cyber security candidates are lacking in technical skills; while 45% do not believe most applicants understand the business of cyber security.

ISACA offers several recommendations to help employers find, assess and retain qualified cyber security talent. In locating talent, it suggests looking internally, and/or looking in a different direction externally. Internally, it suggests that employers should “Groom employees with tangential skills — such as application specialists and network specialists — to move into cyber security positions.” This solves the technical skills problem (these employees will already possess them) while experience can be gained ‘on the job’.

Externally it recommends a path already taken by many organizations: engage with and cultivate students and career changers. “An outreach program to a university or an internship program can help with this,” it says.

ISACA also recommends automation wherever possible. “Where security operational tasks can be automated, it can decrease the overall burden on staff and thereby help make best use of the staff that an organization already has.”

The ISACA report will be discussed at the RSA Conference, on Thursday, February 16th. A CISO panel including four ISACA leaders will discuss “State of Cybersecurity: Overcome Workforce Challenges, Build a Skilled Team.”