Thursday, February 16, 2017

ISACA's State of Cyber Security 2017 Report

Recently ISACA released the result of a survey as their State of Cyber Security Report 2017, part 1.  You can download it at their website HERE.

Part 1 focuses on topics like "workforce challenges" and "persistent skills gap".  Like many other groups, ISACA continues to push the narrative of a skills gap, and of course their solution is to train more folks in cybersecurity, ideally with their new set of CSX training and certifications.

[Full disclosure, I'm a member of ISACA and have all 4 of their original certifications].

As I've noted in past postings, I am not a believer in an overall skills gap.  I will accept that in some markets and for some skill sets there may be a shortage, but it's not everywhere and for all types.

In this report, we are told that:
  • Over a quarter of enterprises report that the time to fill cyber security and information security positions is one-half year.
  • On average, 59 percent of enterprises get at least five applicants for each open cyber security position, but most of these applicants are unqualified.
  • Practical hands-on experience is the most important cyber security candidate qualification to 55 percent of enterprises.
Ok,  So it takes awhile to fill a role.  And we are told that many get few applicants and many are "unqualified".

Great.  But here is the problem I have with this and other such reports.  There is no further investigation as to the causes of this.  We are lead to conclude that this is SOLELY due to the lack of good candidates.

But is that the only cause?

Has anyone asked job APPLICANTS what they are seeing?  Or maybe check some of the recruiting related articles I see on LinkedIn.

What I see and hear a lot is that many of the problems are caused BY THE COMPANIES THEMSELVES.  How so?  Many job descriptions are pretty bad.  They are looking for "purple squirrels", people with an unlikely set of skills.  Too often they have a whole laundry list of skills with no separation from important "must have" from "nice to have".  Or the classic "2 years experience and a CISSP" type role.  And some want senior level folks at entry level pay.

ALL of these will NOT lead someone to apply for a position.  (a theme I see in some articles on job hunting- your lousy job descriptions are turning people away)

Then you have the horrible on-line job submission systems that also discourages people.  I read in articles that we should avoid places with them.  That we should use our personal connections to get in.  But sadly, per this report, personal endorsements don't count.

And then, how do we know who is making the decision as to the qualifications of the candidate.  I've heard people tell me they applied for a position they were qualified for and don't even get a call to interview.  Who is making those decisions??

So for me the solution is NOT to pump out more "cyber security professionals" thru training and certification.  See the other note that practical hands on experience is so important.  Going thru training and getting a cert will not get you that.

Part of the solution is fixing how companies are looking for talent.  Get people who are qualified to craft meaningful job descriptions and make hiring decisions.  Not HR using key word searches.

What are others thoughts on this?


  1. I really like your blog and found valuable information on hands on cyber security training. Thanks for sharing

  2. Ethical Hacking is the order of the day and protecting your data from harm is getting a widespread importance. If you live near or in Delhi, then worry not. There are several institutes which provide ethical hacking course in Delhi.