A report from the International Information System Security Certification Consortium found that world-wide employment in the cybersecurity field would need to grow 89% to meet security requirements.
Photo: Dominic Lipinski/Zuma Press
Companies need millions more cybersecurity professionals to fill roles around the world, but researchers say outlandish job requirements are the problem, rather than a lack of workers.
Around 3.1 million professionals are needed to bridge the cybersecurity talent gap, a trade association for cybersecurity professionals estimated in a November report. The International Information System Security Certification Consortium, known as ISC2, said world-wide employment in the field would need to grow 89% to meet security requirements.
However, excessive requirements for years of experience and professional certifications plus inflated expectations for junior roles aren’t uncommon, said Chase Cunningham, principal analyst at research firm Forrester Inc. He said that results in the perpetual problem of such positions going unfilled because companies often target overqualified candidates who can command greater salaries than these jobs tend to offer.
“We’ve created this self-licking ice-cream cone of misery that continues to drive the narrative forward that we don’t have the ability to solve this problem, or we don’t have enough humans,” he said. Despite holding a doctorate in computer science and having extensive military, federal and private-sector experience, Mr. Cunningham said he is routinely approached by companies offering entry-level positions.
Job postings on social-media websites for positions usually regarded as gateway roles are rife with such requirements. For instance, one post on recruiting site Glassdoor for a security operations center analyst at a Texas office of a major bank, a role many would consider as gateway, asked for a bachelor’s degree; at least four years of experience, including time doing penetration testing, digital forensics and vulnerability assessments; and professional certificates.
Cyber analyst roles advertised in November at real-estate firms, banks, consultancies and other companies across the U.S. routinely asked for at least two to four years of experience and knowledge of advanced disciplines. Professional bona fides, such as the Certified Information Security Systems Professional certification, can be an advantage for job seekers, but organizations awarding such continuing education certificates find it puzzling they are a requirement in entry-level job postings.
“You need five years of experience to have a CISSP,” said Clar Rosso, chief executive of ISC2, which issues the certification. “Possibly the human resources recruiter doesn’t have experience in the area and they’re not able to say, wait, that doesn’t even make sense.”
Layers of corporate bureaucracy often add unreasonable requirements to what should be simple job postings, said Neal Dennis, a threat intelligence specialist at security firm Cyware Labs Inc. He has encountered situations in the past where he had created a job description that required basic training in cybersecurity, only for the posted role to require years of experience and extensive education once it went through managers and recruiters.
Sometimes recruiters mimic other advertisements they have seen, he said, but line managers aren’t blameless.
“There’s a misunderstanding, I think, out the door of what the [requirements] really should be for junior, midlevel and senior roles, and what those expectations are,” he said.
Ms. Rosso said she didn’t believe that inflated requirements alone were driving the shortfall in workers, but there should be changes to employer expectations and consideration of more diverse candidates to solve the problem.
The Cyberspace Solarium Commission, a federal body established to analyze U.S. cybersecurity preparedness, recommended in a September report that federal agencies should consider candidates with nontraditional academic or professional backgrounds. Similar recommendations have been made by other commissions studying artificial intelligence and the role of national service in U.S. society.
Apprenticeship schemes and firm career development paths for new cybersecurity workers would help change hiring practices. These could include programs to help employees gain on-the-job experience, as well as professional certifications, which Forrester estimated in a June 2019 report could cost up to $10,000 for individuals to obtain on their own.
These efforts also would help companies retain workers, Cyware’s Mr. Dennis said, which ultimately would reduce the talent gap.
“Once that shift occurs, I think that the skill shortage starts to answer itself. And then we’ll finally realize that there’s not really a people shortage, there’s just a knowledge shortage on the people who are available,” he said.
Write to James Rundle at [email protected]
