Facing an acute shortage of qualified cybersecurity professionals, hiring managers are recruiting entry- and junior-level practitioners to their teams. The latest (ISC)² research captured in our Cybersecurity Hiring Managers Guide reveals this practice enables organizations to build stronger and more resilient cybersecurity teams.
The findings come from a poll of 1,250 hiring cybersecurity managers who hire entry- and junior-level practitioners for small, mid-size and large organizations in the United States, Canada, United Kingdom and India.
The cybersecurity skills gap currently stands at 2.7 million worldwide, forcing hiring managers to deprioritize experience when choosing candidates who show promise. Managers are less insistent on finding technical skills and, instead, have honed their focus on non-technical skills such as ability to work in a team and independently, as well as personal attributes such as problem solving, creativity and analytical thinking.
Today, the composition of participants’ security teams across organizations of all sizes includes significant numbers of entry-level members (less than one year of experience) – typically a quarter to a third of team members. Junior-level practitioners (one to three years of experience) typically make up 30% to 37% of cybersecurity teams.
Duties and Development
Once on board, entry- and junior-level hires are getting solid opportunities for career development, with 91% of respondents saying their organizations allow staff development time during work hours.
This is a welcome trend, indicating that organizations recognize the need to invest time and money in skills development to build effective, robust teams. Practices include mentorship programs (63%), certification courses (54%), and career pathing and advancement (47%).
Development costs for most organizations are often modest, ranging from U.S. $500 to $5,000. And getting less-experienced cybersecurity staff up to speed is relatively quick. Entry-level staffers can be ready to work unsupervised in as little as six months, according to 34% of respondents, although half said it takes up to a year.
On-the-job training is common, and study respondents are tasking less-experienced team members with a number of responsibilities that place them in the thick of day-to-day cybersecurity work. For instance, 35% of respondents assign entry-level staff to alert and event monitoring and to documenting processes and procedures. Junior-level staff get assigned to information assurance (authentication, privacy) and backup, recovery and business continuity, according to 48% of respondents.
The study reveals that junior-level practitioners can be trained to handle many day-to-day cybersecurity tasks. This allows senior staffers to focus on advanced tasks such as secure software development, endpoint security, data security and risk assessment.
As the cybersecurity profession has matured over the years, a persistent problem has been a focus on hiring professionals with high levels of skills, certifications and experience. The new study shows hiring managers have become more realistic, but there is still a disconnect.
When asked about certifications they like entry- and junior-level candidates to have, hiring managers cited certifications that require several years of experience, such as the (ISC)² Certified Information Systems Security Professional (CISSP) and the ISACA Certified Information Security Manager (CISM) certification.
A more realistic expectation would be to zero-in on non-technical skills such as analytical thinking and problem solving. Then, have a plan to build up technical skills through training and certification courses once candidates are on board. This, in addition to realistic job descriptions postings, can help organizations build effective cybersecurity teams to protect them against ever-present cyber dangers.
To learn more, download the 2022 Cybersecurity Hiring Managers Guide and register for the webinar How to Hire and Develop Entry- and Junior-Level Cybersecurity Practitioners on June 23 for a roundtable discussion of (ISC)² members sharing their experiences and best practices for hiring entry- and junior-level practitioners.