As cyber talent demand heats up, hiring managers should shift expectations | #cybersecurity | #cyberattack


A recent data analysis from CyberSeek confirmed what many in cybersecurity know all too well: The job market is on fire.

U.S. employers posted roughly 715,000 cybersecurity roles in the 12-month period ending in April 2022. Demand for cybersecurity jobs increased 43% over that 12-month period, compared to 18% for the rest of the job market. 

“The growth rate is some of the fastest that we have ever seen,” said Will Markow, VP of applied research, talent for Lightcast, one of the three industry partners behind CyberSeek. “In the first four months of 2022, each month broke the previous month’s record for the most jobs tracked.”

High demand has come at a cost, though. Cybersecurity jobs are taking 21% longer to fill than other IT roles, and cybersecurity salaries have crept up to 10% more than IT salaries, Markow said. Only two states – Maine and Wyoming – aren’t reporting a talent shortage. 

And for every 100 jobs being posted, there are only 66 workers to fill them.

“That means we’re entering the cybersecurity battlefield with one-third of our army on the sidelines,” he said.

Too many companies looking for unicorns

Many companies cite a talent gap for their inability to fill cybersecurity roles – but a big part of the problem may be that hiring managers are looking for more than they can find.

ISACA’s latest State of Cybersecurity report indicated that more than 60% of companies have unfilled cybersecurity positions and understaffed teams. 

The top skills gap, cited by more than half of cybersecurity professionals surveyed, is soft skills such as problem solving, critical thinking, and communication. The top factor used to determine whether a candidate is qualified, though, is prior hands-on cybersecurity experience, followed by credentials.

“There are almost 1 million open jobs – but no one is willing to hire junior people,” said Jenai Marinkovic, a member of the ISACA Emerging Trends Working Group and virtual CISO/CTO with Tiro Security.  

At a philosophical level, it makes sense. In an ever-expanding cyberthreat landscape, and with increased scrutiny of cybersecurity practices among government entities as well as customers, few companies are willing to put someone with just a few months of experience in charge of protecting valuable digital assets, Markow said.

However, it often leads to what Jon France, CISO of (ISC)2, describes as “job description abuse.” 

An entry-level role, for example, will require Certified Information Systems Security Professional certification – which requires five years of industry experience and a passing grade on the CISSP exam. 

“There’s fierce competition for the unicorn who’s at a senior level, but because that’s such a tough market, you need to balance your hiring across entry-level and those who are more experienced,” France said.

More entry-level certification and training

The high-flying skills are unrealistic. For starters, the recent (ISC)2 Cybersecurity Hiring Guide found that about 62% of cybersecurity professionals in the United States have less than four years of experience. 

In addition, more than 137,000 cybersecurity job postings in the U.S. over the last 12 months asked for CISSP certification, Markow said, citing Cyberseek data.  But less than 95,000 workers have obtained certification. 

“It really benefits employers to think carefully about the skill sets and credentials they request,” Markow said. “We need to widen the hiring aperture to bring in workers from more diverse experiential and educational backgrounds. Employers want someone with at least a bachelor’s degree to enter the position, but we can’t wait four years for the next crop of workers.”

It’s the same for Marinkovic: “We are seeing a decrease in the number of people who demand degrees, but it’s hard to let go of that bias. Cybersecurity tends to be monolithic in its way of thinking.”

One approach to meeting this need is entry-level certification. (ISC)2 is piloting such a program, which targets students as well as those looking to enter cybersecurity from another industry. 

“We have to look at other sectors and attract people interested in changing careers,” France said. “Being new to cybersecurity doesn’t necessarily mean being young.”



Original Source link

Leave a Reply

Your email address will not be published.

ninety three − = 91