Cyber pros say hiring practices must change as skills shortage worsens

A recent study shows no improvement in the global cyber skills shortage, with many organizations continuing to make basic mistakes in hiring cyber security employees. 

In the fifth annual roundup of insights from cyber professionals by the Information Systems Security Association (ISSA) and industry analysts Enterprise Strategy Group (ESG), 95% of respondents said that skills shortages have not improved over recent years, while 44% say they have become even greater. If you want to break into cyber security, the majority of respondents recommend getting hold of a CISSP cert.

Recruitment crisis: no end to skills shortages in sight

The report, The Life and Times of Cybersecurity Professionals 2021 is based on a global survey of 489 cyber security professionals, focusing on their experience and insights on the impact of the recruitment crisis. View the report here

As the report authors observe, the discussion surrounding cyber skills shortages has been going on for a decade. Data collected for the project suggest that there has been no significant progress towards a solution. If things are going to change, the researchers recommend that employers pay special attention to the following: 

  • Placing greater value on security, including the creation of a culture of security at all levels of the business.
  • Offering stronger cyber career advancement and training opportunities.
  • Including cyber as part of executive planning and strategy. 

Scale of the skills gap 

  • 57% of organizations have been impacted by the global skills shortage this year.
  • Half of respondents say the situation has not improved over the last few years.
  • 44% say things have got worse, while just 5% say it has improved. 
  • Understaffing is taking a toll on existing cyber teams. The biggest reported negative effects are bigger workloads, staff burnout, attrition, and an inability to learn or use security technologies to their potential.

Hiring is difficult, and businesses are making mistakes 

  • Three quarters of respondents said it was either ‘extremely difficult’ or ‘somewhat difficult’ to recruit cyber professionals.
  • It’s a seller’s market for skills, but companies do not always make it easy to attract talent. 38% of respondents say their organization does not offer competitive salaries. A quarter say that job postings are unrealistic (e.g. too much emphasis on years of prior experience and formal qualifications).

 Headhunting is common practice

  • Once you’re in a job, don’t be surprised to receive a steady stream of offers to move elsewhere.
  • 70% get approached by recruitment agencies to consider new positions at least once per month. Nearly a quarter are solicited by recruiters a few times a week.
  • 71% say that the volume of headhunting activity has increased over the last few years.

Technology categories where the skills shortage is greatest

The top five areas where skills shortages are most common are as follows: 

  • Cloud computing security (39% reported a shortfall)
  • Security analysis & investigations (30%) 
  • Application security (30%)  
  • Risk and/or compliance administration (27%) 
  • Senior-level cybersecurity positions (23%)

How hiring practices should change

When asked their opinion on the steps employers should take to alleviate the skills gap, the most popular suggestions were for organizations to increase their training efforts, make salaries more market competitive and offer incentives, such as paying for certifications and enabling participation in industry events.

Advice for people who want to get into cyber 

What are the three best things you could do if you want to start your career in the cyber security field? Respondents were asked for their insight on this. The three top recommendations were to get a basic cyber security certification (49%), join a professional industry body (42%), and find a mentor to help you develop skills and career plans (36%). 

Interestingly, obtaining a college degree is not generally regarded as a top priority. Just 16% of the cyber professionals polled listed enrolling in a college-level computer science course as one of their recommendations. 

Once you’re actually in a job, what’s the best way to become proficient at it? 52% of cyber pros said that hands-on experience is more important than certifications. 44% ranked the two equally.

What certification should I study for?

Cyber pros were asked to confirm which security certifications they currently hold. By some distance, the Certified Information Systems Security Professional (CISSP) accreditation was the most popular. 59% of respondents said they hold this qualification. 

Again, when asked to name the most important certification to help you get a job, CISSP came top with 51% of the vote. The next most popular choice, Certified Information Security Manager (CISM) scored 13%.  

CISSP remains a clear favorite certification of choice throughout the industry. For instance, a 90,000-member LinkedIn community of cyber security professionals were asked to rate their top certifications for 2021. Nearly three quarters (72%) identified CISSP as the certification with the greatest demand. 

For everything you need to pass these top certificates, gain hands-on experience, plus mentorship you can join The StationX VIP Cyber Security Career Development Platform

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • Michael Dallas says:

    Thank you Nathan

  • David says:

    Hi Nathan,

    I agree with the shortage of IT Security Professionals but expecting a CISSP certification, which requires five years of experience, a degree or other high-level certifications is not the first place to look.

    Look to build within your organization, pay for certifications and pay above the industry if you want to attract and keep talent.

    People new to IT have to start somewhere and that is not CISSP.

    I’m not saying that CISSP’s are not available, they are. However, I would like to see more companies develop and keep their own talent.

  • AntiEvil says:

    I am glad my investment in obtaining the CISSP in 2007 continues to hold value 14 years later. It has allowed me to enjoy a career as a Senior Cybersecurity Engineer for a global financial network where I work on a team that designs global authentication systems.

    So yes, a CISSP is a gateway to a cybersecurity career.

  • Alpha Sulayman jallow says:

    Great article, found it helpful as i am new to the field. Thank you!

  • JJ says:

    CISSP = Joke
    SANS GIAC – is where the real knowledge is and practical. Get you GCIH.

    • Nathan House Nathan House says:

      What your saying is too simplistic.
      CISSP – most requested certificate in job adverts. Respected.

      SANS GIAC – much less requested and less recognized. More practical than CISSP. SANS training costs are outrageous and unobtainable for many.

  • Oswald Langa says:

    jeez, thank you man, going through your volumes as well and python.

  • Conor O'Brien says:

    Hi Nathan, can you recommend a professional industry body in cyber security?(UK and US) I think CISM, CISA and CISSP are for people with 3 to 5 years experience in Cyber Security… to correction on this.

  • Ajinkya Takawale says:

    As my desired is to be an Pentester so, should i do CISSP or any certification related to Pentest??

  • Srashti Jain says:

    You shared such a great article, I’m just sharing this with my friends so that they also gain a great information regards cyber security course.

  • >