Separate staffing studies by (ISC) 2 and ISACA point to the need for security departments to work with existing staff to identify needs and incorporate top-level people into the field.
Security managers trying to hire new staff this year and beyond face some difficult realities: top-level security superstars are hard to find, if they exist. Some security budgets are tightening. And there is a surprising lack of “soft” communication skills among security professionals.
These are the key trends found in two recent and separate studies on the security workforce by leading ISACA and (ISC) security industry groups ². Both studies advise security managers to start by consulting the Workforce Framework for Cybersecurity (NICE Framework), document 800-181 published by NIST.
“Fortune 50 companies may have a good idea of what a cybersecurity department should look like, but there are even large, certainly medium-sized companies that are still struggling to figure it out,” says Clar Rosso , CEO of (ISC).
And Jonathan Brandt, head of professional information security internships at ISACA, points out that when people look for jobs online, there are so many different job titles and classifications that confuse both employers and job seekers.
“Basically, security teams need three types of people: analysts who analyze anomalies and patterns in alerts, engineers who establish security controls and manage endpoints and networks, and finally architects, people who track technology emerging and find out what new products to buy, ”says Brandt.
One of the main findings of the study (ISC) ² is that the best security talents (the so-called “all-stars”) are hard to find and often do not exist. While all teams need a top-tier player and someone who can serve as a mentor, Rosso says companies need to stop looking strictly for the stars and think in terms of people they really need to run a security department.
“Companies have to play the long game,” he says. “Try to involve your existing security staff and ask them what they think the department needs. Then decide what you can realistically spend to get people to the entry levels. Think about it the same way that a baseball team needs a front-line pitcher, but they also need infielders, punchers and relief pitchers. “
Companies need to do a better job leveraging the experience of their existing staff, as well as attracting a more diverse workforce, Rosso says.
For example, data (ISC) ² found that the percentage of women working in cybersecurity functions decreases as tenure increases. Although 37% of the professional group with three or fewer years of experience are women, only 28% of the group with eight or more years of experience are women. This may indicate that more women are joining the profession, but Rosso says it may also suggest that women do not find enough opportunities for advancement as they advance in the field.
Data (ISC) ² also found that 42% of women working in non-IT jobs are interested in a cyber career, compared to 29% of women who already have a computer function.
ISACA data indicates that companies are responding: Forty-three percent said they are attacking the cyber skills gap by increasing the training of non-security personnel who want to move into cyber roles. And another 23% of ISACA respondents said their companies have increased “requalification” programs.
Some security budgets will decrease
Companies will have to do more of this, not only because of the lack of cyber talent, but also because budgets will continue to shrink, says Brandt of ISACA.
While 47% said they expect security budgets to increase in 2021, 20% believe they will decrease this year. Brandt says this is an indication that the pandemic has reduced the revenues of many companies and that they will have less to invest in cybernetics.
“In many ways, it’s a simple economy,” Brandt says. “If revenues go down, so do expenses. So until we get out of the pandemic, security teams can expect tighter budgets.”
Security professionals also agree that a wide range of soft skills are important for success in cybersecurity. When the study (ISC) ² was asked to select its first two values, analytical thinking (34%) and problem solving (33%) were valued more than skills such as business vision (10%). %), leadership (10%) and project management (7%).
The ISACA study took a much stricter stance on soft skills: more than half (56%) of ISACA respondents said security professionals today do not have soft skills, such as communications, flexibility and leadership. . This is more than the lack of technical skills such as endpoint and network management (36%) and coding skills (31%).
“We have become so caught up in technical skills that we have forgotten that what companies really need are people who can explain all the technical analysis in concise and understandable terms,” says Brandt of ISACA, who will participate in a panel at the Conference this month. RSA 2021 on the ISACA study. “We need security people who can demonstrate to senior management that they understand what business they are in.”
Steve Zurier has more than 30 years of experience in journalism and publishing and has covered networking, security and computer science as a writer and editor since 1992. Steve is headquartered in Columbia, Md. See the full biography