Overcoming the cyber-security skills gap: experience vs qualifications
Overcoming the cyber-security skills gap: experience vs qualifications

At the recent RSA Conference, FireMon surveyed the attitudes of 350 IT security professionals towards the skills shortage.

The research revealed that when it comes to hiring, 93 percent of respondents think experience is more important than qualifications.  Furthermore, 73 percent said that it didn't matter whether IT staff were college graduates when it came to getting the job done.

Respondents were split down the middle as to what was more important – good communication skills or the best technical skills.

“Good communication skills can't be overlooked,” said Jeremy Martin, vice president of engineering at FireMon. “We need people with those skills to become facilitators to the business. The key to the skills gap will be identifying these opportunities and matching them with individuals who can relay the IT security messages to the rest of the company or senior management in ways that make sense in business terms.”

To keep up with the rapidly changing threat landscape, 90 percent of respondents said that IT security professionals would have to become more business savvy.

A third of respondents said they could use more intelligent IT security products. With more intuitive technology, staffing resources could be freed up from mundane tasks to focus their knowledge where it really counts.

“With all of the complexity surrounding IT security infrastructure, from the various security technologies, routers, switches, firewalls and so forth, finding ways to make management tools and workflows more intelligent can shoulder some of the burden and fill in interim staffing gaps,” Martin said.

Dr Adrian Davis, CISSP, regional managing director, EMEA region at (ISC)² told SC Media UK: “Experience is, of course, very valuable in any profession. However, relying on experience alone can result in closing the door to new entrants and can allow individuals to talk up their experience to the detriment of those they work with and the profession they claim to represent. Certifications and qualifications provide a tool for new entrants to validate their knowledge – allowing them to gain experience – and validate the experience and knowledge of seasoned individuals – providing evidence of their competence as judged against an independent objective standard. A professional will seek to gain both experience.

“Qualifications are used as an initial screening tool, whilst experience and, just as importantly, the ability of a person to ‘fit' into a team are often the final detriments. Many employees want a candidate to possess qualifications, certifications and experience as they indicate a professional approach to cyber-security, an understanding of the subject, hands on delivery and a personal commitment to improve, learn and be measured against an objective standard.”

Robert Clyde, member of the ISACA board of directors told SC: “Cyber-security jobs continue to be extremely hard to fill and there's a fundamental disconnect between what employers expect and the caliber of cyber-security candidates who are available for hire. As ISACA's 2017 State of Cyber-Security study showed, hands-on experience is the most important qualification to more than half of employers. Many organisations place more weight in real-world experience and performance-based certifications and training that require far less time than a full degree programme. About 70 percent of organisations require cyber-security applicants to have a cyber-security certification. Therefore, an increased emphasis on and investment in training and professional development is a must. Hiring personnel and giving them the chance to develop that experience would go a long way toward raising cyber capabilities across all industries.

“While having a realistic sense of cyber professionals' market value is a must, investment in professional development opportunities and job rotation to help round out skills and minimise frustration with repetitive tasks also can incentivise employees to stay for longer periods. Retaining and providing professional development to employees help organisations be prepared to meet cyber-security challenges head on.”