You are here

ISACA state of security report: Gender diversity issues troubling

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer

Gender diversity programs for cybersecurity pros are on the decline, and the perception of their effectiveness is waning. Those are just two of the findings in a new report by ISACA on the nation's cybersecurity workforce, released Monday at the RSA Conference in San Francisco.

Less than half of the female respondents (45%) to the survey—of more than 1,500 information security practitioners on which the report is based—believe men and women have an equal opportunity for advancement in the field. That's six points lower than last year's tally.

Here are key takeaways from ISACA's cybersecurity workforce report.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

Gender diversity and the perception gap

Organizations don't seem to be making an effort to recruit women. More than half the companies in the survey (56%) revealed that they don't have a specific goal for increasing the number of women in cybersecurity roles. However, that may be influenced by the fact that 71% of respondents said their organizations have no difficulty retaining women in cybersecurity roles.

Diversity programs for women also appear to be on the decline, the survey found. Of the organizations that told surveyors they have a goal of increasing the number of women in cybersecurity, only 44% have programs to support female cyber pros. That's seven points lower than last year.

The effectiveness of those programs also seems to be in doubt. Although more than half the women (59%) in organizations with diversity programs told surveyors they felt women are offered the same opportunities for career advancement as men, that's 18 points lower than last year's finding.

Contrast that with the perception of men in enterprises with gender diversity programs and there appears to be a perception gap. In those organizations, 90% of men—a three-point jump over last year—believe equal opportunity for advancement exists in their outfits.

Rob Clyde, ISACA board chair, said respondents do not believe their organizations prioritize increasing the number of women in cybersecurity roles or advancing them within the organization.

"Attempts to diversify the workforce and create gender inclusion are either not happening enough or are failing to meet employee expectations."
Rob Clyde

Nevertheless, diversity remains a burning issue in tech circles, said Stan Wisseman, chief security strategist and business development director for security products for Micro Focus.

"I think diversity is very hot and female job seekers are being highly pursued aggressively."
Stan Wisseman

[ Special Coverage: RSA Conference 2019 ]

Bodies and skills in short supply

The inability to fill open positions continues to plague the field, the survey found. More than half the information security pros surveyed (58%) said their organizations have unfilled cybersecurity positions.

Meanwhile, more organizations are finding that it's taking longer to fill those open slots. Enterprises with positions open at least six months jumped six points from last year, to 32%. Organizations with jobs open at least three months increased, too, to 30% this year, up from 25% last year.

Looking at those numbers holistically, 60% of enterprises are waiting at least three months before they can fill a cybersecurity position.

Unqualified candidates are applying

One of the more surprising findings of the survey relates to the candidates who are applying for cybersecurity positions. "The majority of applicants are not well-suited for the actual positions that are needed," said Frank Downs, ISACA's director of cybersecurity practices.

Sixty percent of respondents said that 50% or fewer of the applications they receive for cybersecurity positions have the right qualifications. Hiring managers are looking for people who are technically competent, and have enough business acumen to perform cybersecurity within the parameters of business operations requirements, he said.

Downs acknowledged, however, those folks are hard to find.

"You're talking about unicorns, someone who's not just good at cybersecurity and technically meets your requirements but is also able to clearly articulate problems and work organizationally within the business."
Frank Downs

Johannes Ullrich, chief research officer at the SANS Institute, a provider of information security training, said it is difficult to fill cybersecurity positions because the field is relatively new, and rapidly increasing in importance.

"There is not yet a good pipeline to train people for cybersecurity positions. It is also difficult to accurately define the requirements for some of these positions."
Johannes Ullrich

He said that requirements are often overly strict, making it hard for applicants to find jobs they are qualified for.

"Companies have to learn to find candidates with the right aptitude and technical background, and then train them after hiring them to do the specific job. Internal training programs are particularly important in a fast-changing field like cybersecurity."
—Johannes Ullrich

Nearly half of survey respondents (49%) named the ability to understand the business as the biggest skill gap in the average cybersecurity professional.

Downs added that while DevOps skills aren't mentioned in the report, they can be an important part of a cybersecurity applicant's résumé.

"DevSecOps is definitely on the rise, which only makes sense."
—Frank Downs

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

Retaining talent is challenging

There's a strong sellers' market for information security pros at the moment, as evidenced by the fact that 64% of survey participants say they're having trouble retaining talent. 

"The carrots and sticks that worked in the past aren't working as effectively now."
—Frank Downs

Better pay plays a big role in talent migration, the survey found, with 82% of cybersecurity pros citing better financial incentives as a reason for leaving their jobs.

In addition, more than half of the survey's respondents (57%) identified promotional and development opportunities as a cause for bolting from a position, and nearly half (46%) said a better work culture was a cause for migration.

Chris Morales, head of security analytics at Vectra, a provider of automated threat management products, said that part of the retention problem can be linked to the tools given to cybersecurity practitioners. Of the 892 respondents to a survey his company conducted at the Black Hat conference last year, nearly half of respondents said the least satisfying aspect of their job was reviewing security alerts to determine if there is a threat or not.

Too many threat detection products produce alerts that must be triaged, scored and prioritized by a person, resulting in alert fatigue.

"Organizations from Texas A&M to Ottawa Hydro are using AI to perform the manual mundane work of alert triage, scoring and prioritization so security analysts can focus on incidents that represent the greatest risk to their organizations. This increases the retention of security analysts and trains the next generation workforce."
Chris Morales

Ways to keep employees

The survey also identified how organizations are addressing the retention problem. More than half (57%) of respondents said they used training as an incentive to keep information security staff in the fold, while more than one third (36%), resorted to outside contractors to solve retention issues, and 18% increased the use of artificial intelligence and automation.

"Leveraging a third party for cybersecurity purposes shifts the staffing requirements, including recruiting and retaining staff, to another organization," the ISACA report said. This method allows an enterprise to reduce any potential risk from attempting to obtain and maintain cybersecurity professionals natively.

Meanwhile, almost a quarter of the information security pros surveyed (23%) indicated that their organizations used certifications as a way of retaining talent. The use of certifications is an understandable method of retention, the survey reported, because individuals in cybersecurity find great professional pride and personal satisfaction in obtaining a certification in the field.

Budgets increasing more slowly 

Despite growing concerns about cybersecurity threats, many companies are tapping the brakes on information security spending. Although more than half of the information security pros (55%) expect their cybersecurity budgets to increase in 2019, that's nine points lower than last year.

These results "seem to align with a cyclical pattern where every other year cybersecurity budgets increase," the survey said.

Perhaps unsurprisingly, 60% of the survey respondents felt that their cybersecurity budget was underfunded. Slower-than-expected budget increases may fuel the feeling that companies are underfunding cybersecurity, making it harder to retain security pros, the survey warned. 

Between a cybersecurity workforce gap that's become more pronounced as talent becomes harder to find, and a highly competitive market in which traditional retention strategies can't compete with higher salaries and career advancement, things may appear bleak for many information security teams. But that needn't be the case, the report said.

"Organizations that acknowledge the statistics shown in this research should be able to fill open positions quicker and retain their current talent. The successful hiring and retention elements are attractive pay, career growth opportunities, and healthy work environments."

[ Find out how to take control of credentials privilege in your organization in this Webinar. You'll learn best practices, more. ]