With ransomware soaring in number and payoff demand, enterprises are navigating the escalating threat environment often with a dearth of internal expertise. Industry estimates place the number of unfilled security positions at 2.7 million globally. Facing down the onslaught of threats, many organizations are reassessing their approaches to staffing and casting a wider net with respect to hiring for IT security roles.
In a recent survey of 1,250 hiring managers in Canada, India, the United Kingdom and the United States, the non-profit International Information System Security Certification Consortium (ISC)² found many organizations are increasingly hiring staff with limited or no experience in cybersecurity.
Today entry and junior level, which for the purposes of the study is defined as respectively less than one year and less than four years’ experience working in the security field, combined account for almost two-thirds of all security positions. The smaller the company, the larger the percentage of less experienced security professionals is. That said, even large firms draw on entry and junior level IT security to fill their ranks with companies with 5,000 or more employees reporting that entry and junior level employees make up 56% of their security organizations.
Enterprises recruit internally
Some also recruit from other departments within their organization. The smaller the organization, the more likely they are to use this avenue with 46% of entities with fewer than 100 going this route versus 34% of businesses with 5,000 or more employees. Other departments in IT are the most common sources for cross-skilling/upskilling workers in cybersecurity, representing 89% of the retrained security workers. However, staff come from other departments as well including customer service, communications, and Human Resources.
Training is obviously a fundamental component of helping these newer security professionals be effective in their roles. Most of these enterprises – 91% – provide work hours training to these workers. These efforts can yield good results quickly. Thirty-seven percent of the surveyed hiring managers said the lower-level staff members were able to take on tasks within six months or less after they were hired. Most described the spend associated with training lower-level security as reasonable. Eighty-two percent said training costs were less than $5000, with 42% spending under $1,000 to bring their new staff to a point where they can take ownership of assignments.