It’s a good time to be a cybersecurity professional. There are plenty of jobs, and there is plenty of work to be done. ISACA’s 2019 State of Cybersecurity research report, released at the RSA Conference this week, found that 69 percent of companies say their cybersecurity teams are understaffed, and 58 percent have unfilled or open cybersecurity positions. Companies also are having trouble retaining cybersecurity professionals, even if they offer training and certification.
Cybersecurity pros agree, and it’s making their job more difficult. According to information presented at an RSAC session called “Hearing Voices: The Cybersecurity Pro’s View of the Profession”, about one-third of cybersecurity professionals say the cybersecurity staff at their company is understaffed for the size of the organization. The data comes from a new survey developed by the Information Systems Security Association (ISSA) in conjunction with analyst firm ESG.
Clearly, it’s a seller’s market. So why should cybersecurity professionals worry?
Because problems arise when it’s time to change jobs, which cybersecurity pros often want to do to earn more money, find a better culture or environment, or take on new challenges.
“Some people go through their entire career as a ‘cybersecurity professional’ without ever having touched a packet, done forensics, or had much technical hands-on experience, and that’s what companies want today,” said Frank Downs, director of cybersecurity practices at ISACA. “Companies today are looking for on-the-ground skills and experience.”
If you don’t have the type of practical skills companies want in cybersecurity professionals, it’s past time to get them. And the best time to do it is when you’re still fairly happy with the job you have. According to research from ISSA, the most in-demand areas of cybersecurity include cloud computing security, application security, security analysis and investigation, and risk and/or compliance administration.
Ideally, your company will pay for you to take training courses and earn certifications, but if they don’t, consider your money a deposit against future earnings. ISSA found that the most valuable certifications for cybersecurity pros are CISSP, CISM, CompTIA Security, CISA, and CEH. Ideally, any training program will incorporate hands-on experience.
“Cybersecurity pros also should be innovative by learning from peers as well as virtually,” said Candy Alexander, ISSA’s international president and virtual CISO. “It’s the best way to gain the knowledge to ‘fight the good fight” as new risks and technologies are identified.”
In addition to taking training courses and earning certifications, it’s important to understand the business. The ISACA survey found that the biggest skills gap for today’s cybersecurity professional is the ability to understand the business.
“Companies want technical people, but they also want them to understand how technology impacts the business, along with the organizational structure. And they want them to be effective communicators,” Downs said. “It’s like they are looking for a purple unicorn, but if you can be that purple unicorn, you’ll go far.”
With these skills, cybersecurity pros should have their pick of jobs, along with excellent job security. Because there are so many open positions, they can afford to be picky, and they should, Alexander said.
“Cyber pros should be looking for a place that understands their role and function, has a budget for that function, and, most importantly, values the work that is being done and the employees doing it,” she said. “For example, ask the CISO how many times they present to the Board of Directors, or ask how the security budget is determined. If the budget is determined by percentage of the IT budget, it would suggest that the function is also subordinate to IT, and that may not be the best situation for security. And ensure that security is an integral part of the business function.”
It’s also important to look at the retention and turnover statistics of a company you’re considering joining. “Retention is very difficult for a lot of these organizations, so it’s important to find an organization that not only offers you the salary and benefit you want, but has proven that it does what it takes to keep employees happy,” Downs said. Ideally, benefits will include not only a competitive salary and leave, but training and education, he added.
But finding your next job isn’t the end game. Technology continues to change, and cyber professionals must continue to change with it. That means committing to a continuing focus on education and training. Today, that might focus on machine learning, AI and blockchain, but it will change over time.
“Imagine someone who got a cybersecurity degree in 2015 and then just stopped learning,” Downs said. “How do you think they are going to do handling ransomware, which didn’t really pop up until the end of 2016? You’ve got to stay relevant.”