Connect with us

Hi, what are you looking for?


Training & Awareness

Cyber Skills Shortage May Require Employers to Change Course: Report

The cyber security skills gap is known and documented, and empirically understood by all enterprise security leaders. It was recently quantified by job site, which measured the difference between available positions and market interest in them.

The cyber security skills gap is known and documented, and empirically understood by all enterprise security leaders. It was recently quantified by job site, which measured the difference between available positions and market interest in them. A new report from ISACA titled Current Trends in Workforce Development now seeks to understand the shortcomings in the available applicants, and what can be done by enterprises to minimize the effect of skills shortage.

The report is the first released part of ISACA’s State of Cyber Security 2017 survey. 633 ISACA members responded to an online questionnaire, representing more than 20 industries and all five major geographical regions. North America and Eurasia provided 85% of the respondents in almost equal measure. Technology services at 28%, and finance/banking at 23% provided more than half of the total industry sectors.

The effect of the skills shortage is severe, with more than 25% of enterprises taking more than 6 months to fill a security vacancy. Only 59 percent of the organizations say they receive at least five applications for each cyber security opening, and only 13 percent receive 20 or more. This compares to the 60 to 250 applications for the majority of non-security job openings.

The survey finds that the “main problem of obtaining key talent in the realm of cyber security stems from a lack of qualified applicants.” This is a serious issue that goes beyond the trivial chicken and egg explanation. Cyber security is such a rapidly evolving area that new skills are required almost as soon as schools and colleges begin to train for old requirements.

Threat hunting analysts are a prime example. All security technologies generate huge logs. Those logs contain, somewhere, the subtle indications of system compromise. But it requires a human analyst with a particular set of skills to be able to hunt through a myriad of log alerts to be able to detect the few genuine issues from a mass of false positives. 

This is a relatively new development in cyber security. It stems from the rapidly growing use AI and machine-learning algorithms designed to detect anomalies. They work on the basis of a probability score rather than a binary malicious/not malicious decision. A human analyst is required to make the final decision on the probable; and third-party threat-hunting training is in short supply.

Even when trained threat hunters enter the marketplace, they will do so without practical experience. However, more than half (55%) of the respondents report that practical, hands-on experience is the most important cyber security qualification. Employers are simply demanding the impossible: anybody already possessing both qualifications and experience has got that experience by being in employment. It becomes a question of poaching rather than recruiting, with the inevitable result that skills move upwards towards the bigger and better financed enterprises, magnifying the problem for small and medium companies without doing anything to solve the basic problem.

Advertisement. Scroll to continue reading.

Even within the low number of applicants, 25% of respondents say today’s cyber security candidates are lacking in technical skills; while 45% do not believe most applicants understand the business of cyber security.

ISACA offers several recommendations to help employers find, assess and retain qualified cyber security talent. In locating talent, it suggests looking internally, and/or looking in a different direction externally. Internally, it suggests that employers should “Groom employees with tangential skills — such as application specialists and network specialists — to move into cyber security positions.” This solves the technical skills problem (these employees will already possess them) while experience can be gained ‘on the job’.

Externally it recommends a path already taken by many organizations: engage with and cultivate students and career changers. “An outreach program to a university or an internship program can help with this,” it says.

ISACA also recommends automation wherever possible. “Where security operational tasks can be automated, it can decrease the overall burden on staff and thereby help make best use of the staff that an organization already has.”

The ISACA report will be discussed at the RSA Conference, on Thursday, February 16th. A CISO panel including four ISACA leaders will discuss “State of Cybersecurity: Overcome Workforce Challenges, Build a Skilled Team.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Training & Awareness

Google has announced a new training program for cybersecurity analysts and those who graduate will get a professional certificate from Google.

Management & Strategy

750 cyber specialists have participated in Defence Cyber Marvel 2 (DCM2), the biggest military cyberwarfare exercise in Western Europe.

Management & Strategy

UK-based cybersecurity training solutions provider Immersive Labs announced on Wednesday that it has raised $66 million in new capital.

Management & Strategy

Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies


Series A funding brings the total amount raised by cybersecurity training company to $15 million.

Application Security

Hack The Box Raises $55 Million in Funding Round Led by Carlyle


Security awareness training isn’t working to the level it needs to. Social engineering, however, is getting better. Why doesn’t awareness training work, and how...