One quarter of companies are taking six months or longer to fill critical cybersecurity positions, according to a new survey from ISACA.
The cyber security workforce study, conducted for ISACA's Cybersecurity Nexus (CSX) training program, found low rates of applications for cybersecurity jobs, and long wait times to fill vacancies, indicating the ongoing problem of an IT skills gap.
According to ISACA, more than one in four companies report that the time to fill priority cyber security and information security positions can be six months or longer. In Europe, almost one-third of cyber security job openings remain unfilled.
The survey also found that only 59% of organisations surveyed receive five or more applications for each security job, and only 13% receive 20 or more, in contrast with an averages of 60 to 250 applicants for each corporate vacancy. Additionally, 37% of respondents found only one in four candidates have the necessary cybersecurity qualifications.
"Though the field of cyber security is still relatively young, demand continues to skyrocket and will only continue to grow in the coming years," said Christos Dimitriadis, ISACA board chair and group director of Information Security for INTRALOT. "As enterprises invest more resources to protect data, the challenge they face is finding top-flight security practitioners who have the skills needed to do the job. When positions go unfilled, organisations have a higher exposure to potential cyberattacks. It's a race against the clock."
Most job applicants also lack the hands-on experience or the certifications needed to combat today's corporate hackers, ISACA's report found.
"The survey underscores a fundamental disconnect between employer expectations and what candidates can actually bring to the table," said Matt Loeb, ISACA CEO. "Employers are looking for candidates to make up for lost time but that doesn't necessarily mean a significant academic investment. Many organizations place more weight in real-world experience and performance-based certifications and training that require far less time than a full degree program."
ISACA's report highlighted changing requirements for security roles, with 55% of hiring managers saying they require hands-on experience and 69% reporting that they require professional security certifications from applicants. At the same time, one quarter of respondents said that candidates lack technical skills, and 45% believe that candidates don't understand the business of cybersecurity.
ISACA recommends that employers should invest in performance based mechanisms for hiring and staff retention, maximize the talent that they have through investing in current staff training and job rotation to round out skills; and groom employees who have tangential skills that can enable them to support and adopt security roles.
Organisations should also engage with students and career changers to attract talent, and look at automation of security operations tasks, to reduce the load on skilled security personnel.