Three-quarters of organizations experience difficulty attracting qualified IT security candidates, a recent survey found.

According to the “Staffing the IT Security Function in the Age of Automation” report, sponsored by DomainTools and conducted by the Ponemon Institute, just one-quarter of IT and security practitioners said their organization has no trouble finding qualified candidates. That’s down from 34 percent in 2013.

The retention rate of skilled professionals is slightly better at 28 percent, a figure that slid from 42 percent five years prior. Even so, more personnel said their organization’s security functions were understaffed in 2018 (75 percent) compared to 2013 (70 percent).

IT Security Staffing Weighed Down by the Skills Gap

The Ponemon Institute surveyed 615 IT and security professionals for the study. Their responses provided insight into how and why organizations are failing to keep up with their staffing duties.

The survey traced part of the problem to hiring managers’ high expectations regarding the education, knowledge and requisite skills of job candidates. For instance, more than half (55 percent) of respondents said their organization expects applicants to hold either a master’s or bachelor’s degree in IT security or a related field. Meanwhile, 52 percent reported that their employer looks for candidates with professional certifications, such as Certified Information Systems Security Professional (CISSP).

Ponemon found that organizations don’t go easy on entry-level applicants, either. Respondents said their employer requires candidates to possess an understanding of cybersecurity threats (39 percent), intrusion detection and prevention systems (19 percent), and security standards and frameworks (18 percent).

Similarly, 25 percent of respondents revealed that their organization looks for entry-level individuals who can maintain security records for incident response activities, while slightly fewer participants said the same about the ability to evaluate malware (21 percent) and perform threat analyses (18 percent).

The above percentages were all higher with respect to attracting experienced professionals.

Reasons for Staffing Failures

The survey suggested that common hiring practices may be contributing to the cybersecurity skills shortage. Just 24 percent of respondents said their employer views IT security as a viable career path, for example, while 39 percent of IT practitioners said their organizations offer generous compensation packages.

Looking ahead, Joseph Carson, chief security scientist at Thycotic, asserted that companies’ staffing woes won’t improve with the acceleration of automation, artificial intelligence (AI) and machine learning. He noted that such developments require “constant human cognitive input” to make sense of what’s going on. As a result, he explained that companies need to invest more in human security personnel to make the most of automation.

“Don’t expect to get any value out of AI or machine learning–powered tools if you do not have sufficiently skilled staff to use them correctly,” Carson said, as quoted by Infosecurity Magazine. “These tools will only be as good as the humans interpreting the output.”

At the same time, Ponemon suggested that organizations can overcome some of their staffing challenges by looking past candidates’ technical skills and urged prospective IT professionals to recognize the importance of on-the-job experience when applying for a security role.

more from

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…