The latest State of Cybersecurity report from ISACA and RSA Conference has yet again revealed that one of the biggest challenges faced by businesses looking to improve information security is the dearth of suitable talent.
With 82.51% of the surveyed organisations saying they think the likelihood of being attacked during 2015 is either likely or very likely, the race to acquire the talent required to mitigate the risk is on, but finding suitable staff is proving to be quite a challenge.
More than a third of enterprises are finding it impossible to fill open positions with candidates of the required quality at a time when we are continually hearing about new attacks, external breaches and even the threat posed by internal employees.
The survey, which took on the views of 649 managers and practitioners within the infosec and more general IT fields, showed that 77% had experienced an increase in attacks during 2014, with familiar threats such as phishing, malware and loss of mobile devices proving to be among the most problematic issues.
While we all know that such threats can be mitigated to a fair degree through security awareness, monitoring processes and BYOD policies, the fact is that many organisations simply cannot recruit suitable talent to put processes and procedures into place.
The study reveals the depth of the problem, citing a large number of unqualified applicants as being of particular concern – over half of the survey respondents said that less than a quarter of applicants had the required qualifications for the role they were applying for.
As for why applicants were not suitable, the findings make interesting reading.
Traditionally, the infosec industry has been synonymous with communication problems and, while that may still be so to a degree, it is not the biggest challenge faced by organisations.
Nor is a lack of technical skills – I’ve been told several times that they can be taught to the right candidate if they have at least some aptitude and a passion for the subject.
The biggest issue is actually one that has been receiving more and more commentary over the last few months – a lack of understanding when it comes to business issues.
This makes sense of course – the days of infosec being presented as a drain on company budgets that offers nothing tangible in return are well and truly over – the modern professional need to be able to see how the function can be a business enabler and present a case for how the huge cost can offer some form of return on investment.
And knowing what you are meant to be protecting is never a bad idea either, eh?
Even so, the pool of candidates seems to be unaware, or unwilling, to adapt, even in the short term, as companies report open positions and lengthy searches as they seek out new talent.
And this comes at a time when infosec is finally beginning to be taken seriously by boards and senior managers, as evidenced by the survey’s findings that:
- 79% report a board that takes an interest in security
- Just under a third of respondents now report directly to the CEO or other board director
- Over half of the surveyed organisations employ the services of a CISO
- 56% of respondents reported that their organisation has upped the security budget for 2012 and a little under two-thirds are, surprisingly, content with the funding available to them
So, with the report revealing how there is still a dearth of talent, and suggesting that formal education, practical experience and certifications are a great starting point for new infosec professionals, where is change needed?
Robert E Stroud, international president of ISACA and vice president of strategy and innovation at CA Technologies, said:
If there is any silver lining to this looming crisis, it is the opportunities for college graduates and professionals seeking a career change. Cybersecurity professionals are responsible for protecting an organization’s most valuable information assets, and those who are good at it can map out a highly rewarding career path.
Stroud makes a good point but he doesn’t answer the question I believe many recruiters are asking – why is the talent not coming through educational system in the first place?
Is it because infosec is not a sexy enough career choice, it’s inability to appeal to women, or a question of salary levels?
I think not myself, and agree with Jitender Arora who, at IP Expo last year, said the problem lies with the type of education being provided – it’s not necessarily offering what businesses want.
My view, therefore, is that we probably need better links and understanding between businesses and univerities and other educational establishments so that the next generation of potential recruits have skills that are both sufficient and relevant.
Do you agree?