(ISC)2: Only 13% of Cybersec Pros Had a Cyber EducationStudy Points to Need for Extensive On-the-Job Training
Only 13% of cybersecurity professionals in North America had a cybersecurity education before getting into the sector, according to a new report from (ISC)2, a nonprofit association that certifies cybersecurity professionals. And 8% explored cybersecurity on their own before being recruited to the field.
See Also: 2022 Voice of the CISO
A majority of cybersecurity pros - 55% - previously worked in IT, according to the study. Another 31% previously worked in the military or law enforcement.
The study found that cloud security is the No. 1 technical skill those entering a cybersecurity career should possess, followed by data analysis skills and coding/programming expertise.
Clar Rosso, CEO of (ISC)2, tells Information Security Media Group that there's a shortage of 3.12 million cybersecurity pros worldwide, referring to the difference between the number of skilled professionals that organizations need to protect their critical assets and the actual capacity available to take on this work.
The study demonstrates that organizations must offer extensive on-the-job training as they strive to build teams equipped to tackle emerging threats, Rosso says.
The Cybersecurity Career Pursuers Study, conducted in December 2020, surveyed 1,024 cybersecurity practitioners and 1,010 cybersecurity job seekers throughout the U.S. and Canada.
Realistic Job Descriptions Needed
A key challenge, Rosso says, is overcoming an acute lack of awareness about what cybersecurity jobs entail. "There are wide variations in the kinds of tasks entry-level and junior staff can expect," she points out.
"Many organizations still default to job descriptions that rely on cybersecurity ‘all-stars’ who can do it all. The reality is that there are not enough of those individuals to go around, and the smart bet is to hire and invest in people with an ability to learn, who fit your culture and who can be a catalyst for robust, resilient teams for years to come."
Using a baseball analogy, Rosso says: "It’s like organizations are trying to recruit for every opening in their company through free agency, when what they need to be doing is developing a robust farm system, with a stable of utility players who can be developed over time to fit particular roles. … We don’t need a cybersecurity team that has all CISOs on it. We need more balanced teams and organizations."
Too many organizations have hiring practices that create barriers to entry, Rosso contends.
"My concern is ensuring we avoid creating artificial barriers to entry that make the cybersecurity profession less accessible at a time when it is more important than ever that we are embracing more diversity and inclusive practices," she says.
For example, job descriptions with overinflated entry-level requirements - such as CISSP certification - can make hiring challenging, she says.
Tips for Hiring
To help build cybersecurity staffs, Rosso says organizations should:
- Hire for attitude and aptitude. When dealing with dynamic challenges, organizations need a diverse group of thinkers.
- Invest in training those individuals over time to build the team you need.
- Ask the team to suggest the skills staff members lack that should be sought out when hiring new team members.
- Focus on diversity. The more diverse thinking you have on your team, the more successful it will be at addressing changing threats.
Continuous learning, such as through certification programs, can play an important role in career development Rosso says.
"Professional qualifications are a critical tool for benchmarking and validating skills and expertise," she says. "They demonstrate to employers an individual’s experience, understanding of a rigorous professional body of knowledge, as well as a commitment to continuous professional development, which is so important in an environment with dynamic and increasingly complex threat vectors."
Another (ISC)2 study last year, the Cybersecurity Workforce Study, reported that supportive employers are a motivating factor for practitioners to pursue professional certification.
"Employers need to invest in training financially, but also by giving employees the tools, time and resources to study and learn on the job," Rosso states.