How to develop a skilled cybersecurity team

What skills should aspiring information security workers possess and work on? What certifications can come in handy more than others? What strategies should organizations employ to develop a well-staffed cybersecurity team? Where should they look for talent? What advice do those already working in the field have for those who want to enter it?

(ISC)² wanted to know the answer to these and other questions, so they asked 1,024 infosec professionals and 1,010 cybersecurity job pursuers in the U.S. and Canada.

What do the information security professionals say?

A previous study by the non-profit organization has revealed the many obstacles to putting job seekers on a path towards a cybersecurity career.

Those who are actively seeking a role in cybersecurity have a pretty good idea which technical skills should they concentrate on acquiring. In fact, that top 5 list is identical to that compiled based on the answers by cybersecurity professionals, and includes cloud security, data analysis, coding / programming, encryption, and risk assessment / management.

The two groups also have a similar view of what are the most crucial keys to success in cybersecurity are, and those include cybersecurity certifications, IT certifications, and self-training / learning (as well soft skills like problem solving and critical and analytical thinking).

“Professionals tell us that cybersecurity certifications are important, but they are not necessarily viewed as critical prior to the first years on the job,” (ISC)² noted in the recently released Cybersecurity Career Pursuers Study. But later, though, they are a way to prove to employers, their peers and themselves that they possess certain skills.

It’s also interesting that, despite cybersecurity pros being more likely to have earned vendor-specific credentials, they think job pursuers should focus more on getting vendor-neutral ones.

Among the other things that allowed them to succeed in the field, they singled out help from mentors, patience and support from the team, and being assigned a project where they could demonstrate their skills and gain self-confidence. On the other hand, common experiences that may have prevented other candidates to thrive include being “thrown into the deep end” and being overwhelmed with numerous, disparate responsibilities.

“In a field as broad as cybersecurity it may not be a surprise that junior staffers are assigned to such a diverse slate of responsibilities. However, it may suggest a lack of standard, consistent pathways into the field for those taking on their first jobs, as well as unclear routes to advancement and success for many team members,” (ISC)² noted.

What do the infosec job seekers say?

Many of the job seekers are confident that cybersecurity is the right career choice for them: they say that they have some of the soft skills required (problem solving), they like to learn new things, they are passionate about cybersecurity, are eager to wrestle with new challenges, and feel that a career in the field can be rewarding. Some also mention job security and good salaries as a draw.

Many of them say that staying current with technology and threat landscape changes will be among the biggest challenges in the first 1-3 years of their cybersecurity career.

Other interesting insights:

• 34% of pursuers with 3 to 6 years of experience in IT show the strongest interest in pursuing cybersecurity jobs
• Women with IT roles seem to show interest in pursuing cybersecurity earlier in their IT careers compared to men
• Most job seekers currently work in the following field: IT services, banking / insurance / finance, and retail / wholesale

“The highest percent of pursuers in our study currently work in IT services, suggesting this field is fertile ground for new entrants especially among those 35 to 44 years old who may be prime candidates for transitioning to security roles,” (ISC)² pointed out.

The non-profit advises organizations to shift from hunting for (increasingly rare) extremely knowledgeable cybersecurity professionals to join their team, and to move towards finding talented and driven people – both in-house and external candidates – and commit to their professional development.

Create realistic job descriptions, seek for diverse candidates (work experience, gender, race, nationality, age), invest in education, foster mentorships, and have patience to see through this long-term strategy, (ISC)² counsels.