SAN FRANCISCO -- Despite the attention paid to the cybersecurity skills gap in recent years, ISACA presented sobering data that suggests the problem is worsening.
At RSA Conference 2018, ISACA released its State of Cybersecurity 2018 report, which showed 59% of organizations have open security positions that they cannot fill, while 54% said it takes an average of three months or longer to fill those positions. The report "not only shows an expansion of the skills gap reported in the past, but also begins to trace its contours," according to ISACA. "Technical resources, particularly technical individual contributors, are in the most demand. That demand is likely to increase over the short to medium term."
The ISACA report, which surveyed more than 2,300 holders of ISACA's Certified Information Security Manager and Cybersecurity Nexus Practitioner certifications, contained some positive data for enterprises regarding the cybersecurity skills gap. For example, in last year's report, 37% respondents said less than one quarter of the candidates they reviewed for open security positions were sufficiently qualified, while 30% of respondents said that was the case in the 2018 report.
But because of the rising demand for talent, ISACA said, the gap may be widening. In fact, ISACA's report showed 64% respondents expect their organizations' security budgets will be higher this year, compared to just 50% of respondents last year.
"Given that security budgets are increasing," the report stated, "the staffing problem is logistical, rather than financial; enterprises have budget to hire, but are challenged in recruiting talented practitioners because a large segment of the available workforce lacks the skills that enterprises need."
Rob Clyde, vice chairman of ISACA and executive chairman for White Cloud Security, said despite what companies and organizations have done in recent years to address the cybersecurity skills gap, more needs to be done. "We're not narrowing the gap. It's getting worse," he told SearchSecurity. "It's an extremely tight job market, where demand is far outstripping supply."
Clyde said a big contributor to the problem is the lack of female candidates in the infosec workforce; there are not enough women entering the infosec field, and there are too many open jobs that can't be filled solely by male candidates.
"Just look around at any cybersecurity conference like RSA Conference and see how few women are there," Clyde said. "You can see a big reason why there's a gap."
Rob Clydevice chairman of ISACA and executive chairman for White Cloud Security
ISACA's State of Cybersecurity 2018 report also highlights differences between male and female respondents on infosec careers. For example, 82% of male respondents said women have the same career-advancement opportunities in infosec as men, while just 51% of female respondents believed that was true.
However, those numbers changed significantly when the question was posed to respondents whose organizations had diversity programs; 87% of male respondents and 77% of female respondents believe women are offered the same opportunities for career advancement as men.
According to the report, 51% of respondents said their organizations had diversity programs designed to improve gender equality among employees. ISACA said this is the first year it asked about diversity programs, adding the data suggests "gender inequality seems to translate directly into loss of talented female staff."
"I think diversity programs have to be part of the answer for the gender disparity gap," Clyde said, adding that solving the issue will take many different efforts, not just one.
In addition to starting diversity programs, the ISACA report recommended enterprises invest in education and skill building for current employees. "If, as the data suggests, the skills gap is expanding and widening, these investments can reap large rewards as talent becomes more difficult to find and retain," the report stated.
Clyde also recommended organizations remove hiring restrictions and requirements for infosec job candidates regarding educational backgrounds. "Do you need a four-year degree to be an infosec professional? The honest answer is no," he said. "Hiring managers are right not to care about four-year degrees, but often those applications might not get past the HR screening. That has to change, because we can't afford to be losing technically qualified candidates who may not have a degree."