Just How Hard Is It To Hire Skilled IT Security Professionals?

Just How Hard Is It To Hire Skilled IT Security Professionals?

There’s no doubt that there is a skills shortage in the IT industry, particularly in the field of security. Organisations are keen to augment their IT security capabilities but are struggling to hire the right people for the job. A recent survey revealed the level of difficulty companies are facing when trying to net security professionals.

Abstract fingerprint image from Shutterstock

ISACA and RSA Conference jointly conducted a global survey of 461 cybersecurity managers and practitioners to gauge the state of the industry. The findings in the State Of Cybersecurity 2015 report showed that while organisations are placing greater emphasis on keeping their digital assets safe, security managers are still being left out of top executive leadership teams. Only one in seven chief information security officers reported directly to the CEO. The rest generally report to the CIO.

Why does this matter? It shows that security is still viewed as a technical rather than a business concern. As discouraging as this may be, there are signs that the tides are turning as business executives commit to boosting cybersecurity budgets. Sixty-one percent of respondents said their organisation is looking to increase pay for skilled workers, skills development, awareness training and response planning to support IT security. In addition to increasing spending, 75 percent of respondents reported that their organisations’ cybersecurity strategy now aligns to enterprise objectives.

The biggest challenge for organisations now is finding the right people to protect their businesses from cyberattacks. Unfortunately, well-trained and highly skilled security professionals are hard to come by. In the ISACA and RSA survey, 53 per cent of respondents said their companies need at least three months to fill open cybersecurity position. Twenty six per cent require around six months and nine per cent fail to find anybody at all.

But even those company that eventually fill their security vacancies, not all of them are happy with their decisions. Around 60 per cent of the survey’s respondents said they were inundated with applicants who didn’t have the adequate qualifications. Lack of hands-on skills and lack of certification were cited as reasons companies rejected security job applicants. Then there were problems relating to security professionals’ inability to understand the business and shortcomings in technical and communication skills.

“Not having skilled employees certainly impacts an enterprise’s ability to identify, contain and mitigate complex security incidents, which results in increased cost to the enterprise,” the report noted.

The cybersecurity skills gap poses its own threat to keeping an enterprise safe. The survey saw a 12 per cent year-on-year drop of security professionals who are confident in their team’s ability to detect and respond to incidents, down to 75 percent in 2015. Among those 75 percent, 6 in 10 do not believe their staff can handle anything beyond simple cybersecurity incidents.

“The lack of confidence in current cybersecurity skill levels shows that conventional approaches to training are lacking,” ISACA chief knowledge officer Ron Hale said. “Hands-on, skills-based training is critical to closing the cybersecurity skills gap and effectively developing a strong cyber workforce.”


  • The job itself is highly challenging, its very technical and finding the right person to fill that position is not as easy as it may sound. Also, having completed certifications doesn’t make you, an experienced candidate at all. Its also imperative to practice what you’ve learned and continue on practicing and always willing to learn more.

    Computer Security is not an easy field, its very dynamic and hard to keep up with. You need to have a strong mind set to succeed in this field. That’s why employers are struggling to find the right person…

  • Its not always that no one out there is suited for the role but from my experiences the business can be at fault just as much either not accurately describing what type of professional they are after or listing unreal expectations with limited reward.
    I have found that some organizations get their HR departments to whack a brief job description together to put on seek or whatever not defining the crucial aspects of the role.
    Couple years back I applied for a network engineering role with a generic description which turned out they wanted a CCNP r&s plus security, 7 years experience, on call and capping the salary at $55k non negotiable. only interview iv ever cut short.

    • At interviews for two separate positions, the hiring manager asks “are you familiar with Microsoft Access?”. Trouble is, one role just requires data entry (in which case the database is immaterial) and the other actually requires SQL Knowledge, and the ability to debug someone’s spaghetti code.

      It’s not that the right people aren’t available, it’s that the hirers don’t know how to express what they need and/or they see all IT skills as being roughly equivalent, whether you’re an enterprise architect or a general office all-rounder.

  • Industry based apprenticeships are what are needed. There are a lot people I know who have the mindset, but not the opportunity to get in to the industry. There’s a whole lot of smaller issues at play, that create this larger problem. CBA are doing a good job to influence positive change in the industry.

Show more comments

Comments are closed.

Log in to comment on this story!