ISACA’s 2021 State of Cybersecurity survey demonstrates an industry in transition – not just from the COVID-19 pandemic, but by shifting needs and improved maturity. A few notes before we dive into the specifics of the report:
- This survey is primarily responded to by ISACA members (93 per cent).
- A majority of the respondents are working for larger organizations (1,500 employees or more).
- 61 per cent of respondents state that they are somewhat or significantly understaffed.
One of the important underlying trends in our industry has been a significant influx of university programs and recent graduates as the industry seeks to fill a wide variety of unfilled positions, and higher education offers programs to fill that gap. Many of us “old timers” entered the industry informally, where someone took a chance on us and we learned on the job. Certifications like CISM, CSX-P, CISSP and the SANS arose to fill the gaps, and credentials and experience became the primary mechanism for employers to evaluate a candidate’s qualifications for the role.
Since there were few people with the years or even decades of diverse, hands-on experience expected by employers, shortfalls arose and salaries rose quickly for those with the right resumes, credentials and certificates.
Today, those surveyed continue to rely on hands-on experience as the primary method of judging candidates’ qualifications and consider university education as a less robust method of evaluation. This has created an unusual challenge – a flood of new candidates seeking to enter the field, mismatched to the very qualifications employers are judging against.
For those considering entry into the industry, there are a few key takeaways from the data in this survey when considering educational opportunities:
- Choose a program that is heavy on hands-on experience rather than purely theoretical ideally, a program that includes co-op/work placement opportunities during the course of the program.
- The data shows significant skill gaps in software, data analytics, coding and cloud. Choose a program that prioritizes those skills over traditional core skills like networking and infrastructure technology.
- So called “soft-skills” continue to be a key gap. Personally, I think calling them “soft skills” creates an illusion of lower value, whereas recognizing that strong written and verbal communications, business analysis, and teamwork are in fact very important skills that will enable long-term success for members of our industry. Entrants should look for activities (extra-curricular if not offered in the core program) that allow them to develop these skills.
- Educators who are designing programs should also make sure that they cover these areas – coding/data analysis, hands-on work, “soft skills” development to ensure that their graduates have the cyber security skills in demand in 2021 and beyond.
For those hiring and developing talent, there are also some great guidelines in the data:
- Employers should ensure they have a strong skills development program for their team members. This needs to cover not only technical skills and certifications but also the “soft skills” that continue to be a gap expressed in the data.
- Where hiring challenges exist, it is primarily in individual technical and non-technical contributor roles. Again, we need to be prepared to take on less experienced candidates and mentor/develop them.
- Looking within your organization in non-traditional areas (for example, software development rather than just IT) will help to gain some of the core code/development competencies that are consistently lacking in the team. Note that this will likely drive an increase in staff costs as developers are already under significant demand, and DevSecOps people are less common and in high demand.
Although it isn’t expressed in the data, my personal belief is that employers opening up to distributed work expands the candidate pool, enables roles to be filled more rapidly and supports a higher diversity of candidates. As cybersecurity is a business of bits not atoms, we believe that leaning in on remote work will help employers build strong, diverse teams.
Those of us fortunate to have entered this field many moons ago need to appreciate the opportunities given to us, and ensure we create an industry that continues to be filled with opportunity for people of diverse backgrounds, with different levels of privilege, to build a strong and rewarding career. Being flexible in hiring without gatekeeping based on specific degrees or credentials, and ensuring we have strong development pipelines, will ensure a field that is full of talented, motivated co-workers who will help us all progress our industry.