Demand for qualified cybersecurity professionals continues to outstrip supply - and what you can do about it

Our region was slightly higher compared to the rest of the globe in terms of being unable to fill cybersecurity positions at allJo Stewart-Rattray, ISACA

Sophisticated cybersecurity defenses are increasingly in high demand as a cybersecurity attack is now viewed as an inevitability. However, a majority of surveyed organisational leaders fear they are ill-equipped to address these threats head-on.

According to a new cybersecurity workforce study by ISACA’s Cybersecurity Nexus, only 59 per cent of surveyed organisations say they receive at least five applications for each cybersecurity opening, and only 13 per cent receive 20 or more.

In contrast, studies show most corporate job openings result in 60 to 250 applicants. Compounding the problem, ISACA’s State of Cybersecurity 2017 found that 37 per cent of respondents say fewer than 1 in 4 candidates have the qualifications employers need to keep companies secure.

“Though the field of cybersecurity is still relatively young, demand continues to skyrocket and will only continue to grow in the coming years,” says Christos Dimitriadis, ISACA board chair and group director of Information Security for INTRALOT.

“As enterprises invest more resources to protect data, the challenge they face is finding top-flight security practitioners who have the skills needed to do the job. When positions go unfilled, organisations have a higher exposure to potential cyberattacks. It’s a race against the clock.”

More than 1 in 4 companies report that the time to fill priority cybersecurity and information security positions can be six months or longer. In Europe, almost one-third of cybersecurity job openings remain unfilled.

“The skills gap in Australia and New Zealand continues to grow,” says Jo Stewart-Rattray, ISACA board director.

“Respondents in Australia and New Zealand said it took longer than the global average of three months to fill a position, and our region was slightly higher compared to the rest of the globe in terms of being unable to fill cybersecurity positions at all.”

Jo Stewart-Rattray, ISACA board director

“The highest levels of management need to recognise cybersecurity is not just an IT issue - it’s a business issue.”

Stewart-Rattray says two important steps businesses can take today is to provide basic security training for all staff to be able to identify potential threats, and to offer on-the-job training to current employees with tangential skills.

“Organisations also need to invest in performance-based certification programs, such as CSX Practitioner, to be able to source and train qualified talent.”

A new report by Accenture, meanwhile, echoes the same concerns over the dearth of qualified cybersecurity professionals across Australia and New Zealand.

“For most, the number one operational problem comes down to people and skills – both in the business at large and among security professionals,” according to the Accenture report Cybersecurity in Australia and New Zealand: How Operational Effectiveness is Key.

The report states in the current high-turnover environment, firms often expose themselves by having only one person responsible for a security area, such as malware reverse engineering or incident response.

“If that person leaves, all the knowledge goes with them. Too often, organisational structures are not suited to deal with today’s cyber threats. Often businesses can be reluctant to change for a range of reasons, however, this change is necessary to compete and win against the changing threat landscape.”

When positions go unfilled, organisations have a higher exposure to potential cyberattacks. It’s a race against the clock.Christos Dimitriadis, ISACA

“Invest in talent where it makes sense,” Accenture advises organisations.

“Given the almost daily reports of high-profile cyberattacks, demand for top security talent has skyrocketed. This makes it increasingly difficult to attract and retain good security talent.

“Organisations need to create new value propositions that go beyond compensation, such as providing access to cutting-edge tools, training, and peer and industry knowledge sharing. Other incentives include the chance to participate in conferences and opportunities to innovate by adapting tools and technologies to new applications. Given budget realities, organisations also need to understand which capabilities really matter and outsource those that do not.”

Cybersecurity qualifications: A moving target

The ISACA report, meanwhile, finds most job applicants do not have the hands-on experience or the certifications needed to combat today’s corporate hackers.

“The survey underscores a fundamental disconnect between employer expectations and what candidates can actually bring to the table,” says Matt Loeb, ISACA CEO.

“Employers are looking for candidates to make up for lost time but that doesn’t necessarily mean a significant academic investment. Many organisations place more weight in real-world experience and performance-based certifications and training that require far less time than a full degree program.”

For most, the number one operational problem comes down to people and skills – both in the business at large and among security professionalsAccenture

ISACA’s report highlighted where hiring managers’ expectations are shifting most as they consider candidates for open cybersecurity positions:

  • 55 per cent of respondents report that practical, hands-on experience is the most important cybersecurity qualification
  • 25 per cent of respondents say today’s cybersecurity candidates are lacking in technical skills
  • 45 per cent of respondents don’t believe most applicants understand the business of cybersecurity
  • 69 per cent of respondents indicate that their organisations typically require a security certification for open positions and most view certifications as equally, if not more, important as formal education

ISACA lists five steps to find, assess and retain qualified cybersecurity talent:

Invest in performance-based mechanisms for hiring and retention processes: ISACA’s CSX assessment capability can help employers assess performance level of prospective and current staff members.

Create a culture of talent maximisation to retain the staff you have: Even when budgets are tight, there are things that can be done that don’t impact the bottom line: alternative work arrangements, investment in personnel growth and technical competency, and job rotation to help round out skills and minimise frustration with repetitive (but necessary) tasks.

Groom employees with tangential skills—such as application specialists and network specialists—to move into cybersecurity positions: They are likely to be highly incented to do so and it can help fill the gap in the long term. Having a path in the organisation to do this can be a solid investment, as it can be cheaper to fill those gaps and help support employee morale.

Engage with and cultivate students and career changers: An outreach program to a university or an internship program can help with this.

Automate: Where security operational tasks can be automated, it can decrease the overall burden on staff and thereby help make best use of staff that an organisation already has.

No caption

Send news tips and comments to

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events

Copyright © 2017 IDG Communications, Inc.

6 digital transformation success stories