Nearly half of all companies have difficulty recruiting the cyber-security workers, but are not training or offering career options to the workers they have, according to a survey.
Companies need to help their cyber-security specialists not only keep their skills up to date, but develop new ones, which is a hard idea to sell when these workers change jobs so often, according to a new survey released on Oct. 5 by the Information System Security Association.
The survey of more than 430 security professionals, conducted by the Enterprise Strategy Group, found significant dissatisfaction among workers in the industry while underscoring the demand for these skilled employees and their good job prospects, a combination that highlights companies’ difficulties in retaining security workers.
The survey found 56 percent of security professions believed their company did not provide adequate training to keep up their skills. At the same time, 46 percent of those workers received an offer to apply for another job at least every week.
Companies that do not invest in their workforce nor provide clear career paths have to come to grips with the rapid employee turnover resulting from the high demand for security professionals, John Oltsik, senior principal analyst for ESG, said during a press call announcing the results of the survey.
“We are understaffed, we are severely under-skilled and we are not investing resources into keeping people up to speed,” he said. “This poses an existential threat.”
It’s no surprise that there are not enough cyber-security specialists to go around. Even though 200,000 workers were expected to enter cyber-security positions last year, there will be a shortfall of 1.5 million globally by 2020, according to a 2015 survey conducted by Frost & Sullivan.
The security workforce shortfall has made workers hard to find and even harder to retain. Companies that prioritize security behind other business goals, that fail to meet market rates for security professionals and do not provide opportunities for skill development are most likely to lose workers, according to the ISSA survey.
About two-thirds of respondents, for example, stated that they did not have a clear career path. The workers identified mentorship, a standardized career map and technical training requirements as positive steps a company can take to help them with their careers.
Yet, the survey suggests that companies who make cyber-security a priority, offer a clear career path to become cyber-security specialists and continue to train their employees have a better chance of retaining their workers, Candy Alexander, CISO and chief architect for cyber-security career lifecycle for the Information Systems Security Association, said on the conference call with media.
“When you look at the history of the profession, we take a reactive approach—when we have breaches, we focus on stopping the bad guy,” she said. “We have to stop being a reactive profession and start being a proactive profession.”
In addition, while cyber-security specialists are in demand in some high-tech areas of the country—such as San Francisco, Boston and New York, living expenses can have dramatic impact on effective pay, according to jobs site Indeed.com. The best average salary, adjusted for living expenses, is in Minneapolis, Minnesota, according the company’s analysis.