A new report out of the UK takes a deep look at the oft-reported security skills shortage and finds that while fewer businesses are dealing with overall technical skills gaps, they are especially struggling to find qualified people to fill specialized security roles.
The Department for Digital, Culture, Media & Sport (DCMS) report is the result of analysis from interviews with training organizations, labor market databases and quantitative surveys with several UK organizations.
The research reveals fewer businesses (48%) report having basic technical skills gaps in 2020. This is down from similar research from DCMS in 2018 that found 54% were struggling with skills gaps at the time. But more businesses are seeking certain expertise, such as incident response, which is even more difficult to find in the hiring process these days. For example, according to the report, more businesses now consider it essential to have incident response skills among their security staff, with 23% listing it as an essential skill. Yet, a quarter (27%) have a skills gap when it comes to incident response but don’t outsource it.
The analysis concludes approximately 30% of business also have more advanced skills gaps in other areas, such as penetration testing, forensic analysis and security architecture.
“A lot of these advanced cybersecurity skills are things organizations simply haven’t had to hire full-time resources for in the past. Things like pentesting and forensics are usually seen as occasional requirements, not part of core IT responsibilities. Incident response is another example, a process that is generally thought of as an ‘in case of emergency’ skill,” said Jason Revill, head of the Avanade UK and Ireland security consulting practice. “Unfortunately, many of these skills have suddenly become a lot more essential and a lot more in demand.”
Unfortunate indeed, as 25% of respondents said skills gaps have prevented them to a great extent from achieving business goals.
Ben Rothke, a senior information security specialist with Tapad, and frequent author on industry trends, recently wrote an article taking to task the hype surrounding the security skills shortage. “The fallacy of the information security skill shortage” argued while there are shortages of information professionals, that is due in large part to firms that do not want to pay market rates for people.
But Rothke also admitted that even where competitive salaries are offered, he observeds that there are several types of positions where qualified people are in short supply.
They include specialty areas, such as:
- Information security architect
- Senior application security developer
- Cloud security
- Sales engineer
The DCMS research finds the most common roles in demand are security engineers (18%), security analysts (13%), security architects (10%), security managers (9%) and security consultants (8%).
Softer Skills Also Hard To Fill on Security Teams
Softer skills, like communication and management, are also tripping up hiring managers seeking to round out security teams. A total of 3 in 10 cyber firms (29%) said that job applicants lacking non-technical skills such as communication, leadership or management skills have prevented them to some extent from meeting their business goals, and a similar proportion (28%) said this about their existing employees.
Around 7 in 10 cyber sector businesses (68%) have tried to recruit someone in a cyber role within the last three years. These employers reported 35% of their vacancies were hard to fill. In 43% of cases, respondents said this was because applicants lacked technical skills or knowledge. However, applicants lacking soft skills (22%) was also a common contributing factor.
You Get What You Pay For?
To Rothke’s point about pay as the sticking issue, high salary demands were listed as a challenge in the research as well. But respondents also said they had concerns about people frequently applying for roles for which they did not have the skills or experience and exaggerating their expertise and experience in resumes.
“Firms that are willing to pay respectable salaries will be able to find good people,” he said. “I do not know of a single organization paying a reasonable wage that has significant problems finding people. I am not talking about salaries that are a few percent below market rate; I am talking about salaries and consulting rates that are 50% below the market rate. Salaries like these can only be offered by firms that are oblivious to current hiring and technology trends.”
Revill noted that because CISOs and security teams now occupy a more strategic role in business, security hiring managers will be seeking candidates with more “holistic” backgrounds that can wear multiple hats. But it will continue to be hard to find them.
“Unfortunately, security professionals, whilst in demand, will still have their pick of where they want to work, and unless your company meets their criteria, you’d be better looking toward a partner who can,” he said.