Study finds companies are mishandling cyber security recruitment

An employee on the phone while his computer screen shows "cyber attack" warning
(Image credit: Shutterstock)

Companies are sabotaging their cyber security efforts with a mixture of poor recruiting and training practices, warned a report from the Information Systems Security Association and tech advisory company the Enterprise Strategy Group today.

The 2021 edition of the Life and Times of Cybersecurity Professionals report found the skills shortage in this sector is as bad as ever. Of the 489 cyber security professionals surveyed, 44% said it had worsened, while half said it was around the same over the past few years.

The cyber security skills shortage is contributing to workplace stresses for cyber security professionals, who singled out an overwhelming workload as the third most stressful issue. Six in 10 reported an increasing workload on existing staff, with roughly the same number highlighting an effect on work/life balance, and just over a third reporting an unhealthy level of job-related stress.

The top two stress factors were dealing with IT projects created with no security oversight and dealing with disinterested business managers.

Companies having difficulty finding cyber security staff would ideally train the ones they have to make them more productive. This was a priority for 91% of cyber security professionals, who felt that failing to update their skills put them at a disadvantage when protecting their organizations. Yet six in 10 felt job requirements stop them from updating their skills.


Don’t just educate: Create cyber-safe behaviour

Designing effective security awareness and training programmes


The answer is to carve out more time for training in staff schedules, the report advised.

The experience of recruits is a related problem. One in three respondents said their organizations were forced to hire and train junior employees rather than experienced candidates, as the latter were hard to find.

Recruitment teams are a factor in the failure to hire experienced staff and often misstep when hiring cyber security pros, the report warned. There is no shortage of job offers, with recruiters soliciting 70% of respondents at least once per month. However, those recruiters often don't understand the sector, and the job offerings are poor.

A lack of competitive compensation was a common complaint, which is a problem given it is the second-highest indicator of job satisfaction. Unrealistic job postings, such as demanding too much experience and too many certifications, were another common problem. This means new security postings often remain unfilled for weeks or months.

Danny Bradbury

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing. 

Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.