Nearly half of all companies surveyed have difficulty recruiting cyber-security workers, but aren’t training or offering career options to current employees.
Companies need to help their cyber-security specialists not only keep their skills up to date, but also develop new ones—a hard idea to sell when these workers change jobs so often, according to a new survey released Oct. 5 by the Information System Security Association.
The survey of more than 430 security professionals, conducted by the Enterprise Strategy Group, found significant dissatisfaction among workers in the industry and underscored the demand for these skilled employees and their good job prospects—a combination that highlights companies' difficulties in retaining security workers.
The survey found 56 percent of security professionals believed their company did not provide adequate training to keep up their skills. At the same time, 46 percent of those workers received an offer to apply for another job at least every week.
Companies that do not invest in their workforce or provide clear career paths are coming to grips with the rapid employee turnover resulting from the high demand for security professionals, said John Oltsik, senior principal analyst for ESG, during a press call announcing the results of the survey.
"We are understaffed, we are severely underskilled and we are not investing resources into keeping people up to speed," he said. "This poses an existential threat."
It's no surprise that there are not enough cyber-security specialists to go around. Even though 200,000 workers were expected to enter cyber-security positions last year, there will be a shortfall of 1.5 million globally
by 2020, according to a 2015 survey conducted by Frost & Sullivan.
The security workforce shortfall has made workers tough to find and even tougher to retain. Companies that prioritize security behind other business goals, fail to meet market rates for security professionals and do not provide opportunities for skills development are those most likely to lose workers, according to the ISSA survey.
About two-thirds of respondents, for example, stated they did not have a clear career path. The workers identified mentorship, a standardized career map and technical training requirements as positive steps a company can take to help them with their careers.
Yet, the survey suggests that companies that make cyber-security a priority, offer a clear career path to become cyber-security specialists and continue to train their employees have a better chance of retaining their workers, said Candy Alexander, CISO and chief architect for cyber-security career life cycle for the ISSA, on the conference call with media.
"When you look at the history of the profession, we take a reactive approach—when we have breaches, we focus on stopping the bad guy," she said. "We have to stop being a reactive profession and start being a proactive profession."
In addition, while cyber-security specialists are in demand in some high-tech areas of the country—such as San Francisco, Boston and New York, living expenses can have dramatic impact on effective pay, according to jobs site Indeed.com. The best average salary, adjusted for living expenses, is in Minneapolis, according the site's analysis