As demand for cyber talent grows, hiring managers need to shift their expectations

A recent data analysis from CyberSeek confirmed what many cybersecurity experts know all too well: the job market is on fire.

U.S. employers posted approximately 715,000 cybersecurity jobs in the 12-month period ending April 2022. Demand for cybersecurity jobs increased 43% over this period 12 months, compared to 18% for the rest of the labor market.

“The growth rate is one of the fastest we’ve ever seen,” said Will Markow, vice president of applied research, talent for Lightcast, one of three industry partners behind CyberSeek. “In the first four months of 2022, each month broke the previous month’s record for the most jobs tracked.”

The high demand comes at a cost, however. Cybersecurity jobs take 21% longer to fill than other IT positions, and cybersecurity salaries have grown up to 10% more than IT salaries, Markow said. Only two states — Maine and Wyoming — are not reporting a talent shortage.

And for 100 posted jobs, there are only 66 workers to fill them.

“That means we’re entering the cybersecurity battlefield with a third of our military sidelined,” he said.

Too many companies looking for unicorns

Many companies cite a lack of talent for their inability to fill cybersecurity roles – but a big part of the problem may be that hiring managers are looking for more than they can find.

The Last of ISACA State of Cyber ​​Security Report reported that more than 60% of organizations have cybersecurity vacancies and understaffed teams.

The top skills gap, cited by more than half of cybersecurity professionals surveyed, relates to soft skills such as problem solving, critical thinking, and communication. However, the primary factor used to determine if a candidate is qualified is prior hands-on cybersecurity experience, followed by credentials.

“There are nearly a million jobs open – but no one is willing to hire juniors,” said Jenai Marinkovic, member of ISACA’s Emerging Trends Task Force and virtual CISO/CTO at Tiro Security.

On a philosophical level, this makes sense. In an ever-expanding cyber threat landscape and with increased scrutiny of cybersecurity practices among government entities as well as customers, few companies are willing to entrust someone with only a few months of experience with the responsibility of protecting valuable digital assets, Markow said.

However, this often leads to Jon France, CISO of (ISC)2described as “job description abuse”.

An entry-level role, for example, will require a Certified Information Systems Security Professional certification – which requires five years of industry experience and a passing score on the CISSP exam.

“There’s fierce competition for the unicorn that’s at a higher level, but since it’s such a tough market, you need to balance your recruiting between newbies and those who are more experienced,” France said.

More entry-level certification and training

High-flying skills are unrealistic. To begin with, the recent (ISC)2 Cybersecurity Hiring Guide found that approximately 62% of cybersecurity professionals in the United States had less than four years of experience.

Additionally, more than 137,000 cybersecurity job postings in the United States over the past 12 months have applied for CISSP certification, Markow said, citing data from Cyberseek. But fewer than 95,000 workers have obtained certification.

“It really benefits employers to think carefully about the skill sets and credentials they’re asking for,” Markow said. “We need to widen the opening of employment to attract workers from more diverse backgrounds of experience and education. Employers want someone with at least a bachelor’s degree on the job, but we can’t wait four years for the next wave of workers.

It’s the same for Marinkovic: “We see a decrease in the number of people asking for diplomas, but it is difficult to get rid of this bias. Cybersecurity tends to be monolithic in its way of thinking.

One approach to meeting this need is entry-level certification. (ISC)2 is steering such a program, which targets students as well as those looking to enter cybersecurity from another industry.

“We need to look at other sectors and attract people interested in changing careers,” France said. “Being new to cybersecurity doesn’t necessarily mean being young.”

Leave a Reply