Reimagining staffing in the cybersecurity industry

David Strom 7 Jun 2021

As the cybersecurity workforce shortage persists, it's time to assess what is and is not working in staffing practices

Since 1967, ISACA has been providing a centralized source of information and guidance within the IT governance and control field. ISACA's State of Cybersecurity 2021, Part 1 report contains the organization's update on its workforce development efforts. This is the seventh year that ISACA has surveyed its membership, and the report is based on more than 3,600 respondents from 120 countries, with more than half of them saying their primary jobs are directly in the field.

In spite of the Covid-19 pandemic, overall cybersecurity spending has dropped, which seems counterintuitive but continues to be a trend that ISACA has been documenting for several years (see the chart below).

Image credit: ISACA

As you see in the first group, the category of “significantly underfunded” cybersecurity programs continues to drop, now down to 14% of those surveyed in the most recent study. The survey found that “65% of respondents whose cybersecurity teams are significantly understaffed say they have experienced difficulties retaining qualified cybersecurity professionals — conceivably due to burnout.”

There is a small amount of good news, though. “Although the cybersecurity industry continues to be a seller’s market, the global pandemic appears to have positively influenced cybersecurity staff retention efforts,” says the report.

Unfortunately, the fact remains that companies that are severely understaffed are seeing some evidence of burnout and losing people.
Part of the problem is that more than half of those surveyed still have unfilled cybersecurity positions. The chart below shows the difference between 2020 and 2021 in time spent recruiting for qualified cybersecurity positions (with a notable increase in the three- to six-month period during 2021).

Image credit: ISACA

“The largest skills gap among cybersecurity professionals is soft skills, including communication skills, leadership, critical thinking, teamwork, work ethic and positive attitudes. More than half the respondents chose this category,” according to the report. The survey showed this concentration is still missing from recent college cybersecurity graduates, which isn’t a good sign that these programs have the right focus for the workforce.

Reforming cybersecurity staffing requirements

The summary of the ISACA report poses these very relevant questions: “For those already in the workforce, one might assume responsibility falls on the employer but which functional area if any funds it? And if not the employer, can we require existing employees to remedy an issue that was likely never specified in a job description?”

One remedy might be in how we train the new college graduates of cybersecurity programs. Some corporate executives, such as in a recent Wall Street Journal panel discussion, have suggested dropping a degree as a hard prerequisite for getting a cybersecurity job. The report says, It is increasingly obvious that the industry requires recalibration when it comes to staffing.”

Laurel Nelson-Rowe is a former ISACA editorial manager. I asked her why this continues to be an issue. “The problem is that the workforce doesn’t have college credentials but there continues to be a great need for cyber-knowhow. This means you have to look at candidates’ business experience, applied skills, and any other credentials they have and can bring to the job. Sadly, this need isn’t going to subside any time soon.” Her suggestion is to offer free cyber training more widely as an option to encourage candidates.

The report quotes CyberUp’s Executive Director Tony Bryan, who runs a large training program near St. Louis. He says, “The largest barrier is the mindset that the industry faces a skills gap as opposed to a talent pipeline problem. Employers still use 20-year-old hiring practices such as internships and co-op jobs and must reimagine hiring. Pathways such as apprenticeship offer a low-cost, low-risk, faster way to ready a workforce. The cybersecurity workforce shortage persists and likely will continue, until there is an honest analysis of what is and is not working. Despite years of effort by government, industry and academia, and despite the expenditure of large swaths of taxpayer dollars, little has changed.”

For more details, you can check out the complete ISACA report