The information security industry hasn't made any significant strides in addressing the workforce shortage, according to a report released this morning by ISACA.
"There's been a lot of discussion," said Eddie Schwartz, member of the ISACA Board of Directors and EVP of cyberservices at Abu Dhabi-based Dark Matter LLC. "There have been a lot of calls to action by industry and government. But there hasn't been improvement in the numbers we're seeing."
According to the survey, 26 of companies said that it takes an average of six months to fill an open position, and 6 percent said they cannot fill open positions at all.
And the applicants that they do get are less likely to be qualified. This year, 37 percent of companies said that fewer than 25 percent of job applicants were qualified, up from 33 percent last year.
The biggest reason that applicants are found to be unqualified is that they can't demonstrate their skills.
For example, said Schwartz, some companies administer hands-on tests. "Given a scenario like a data breach or malware infestation, can you sort through it, can you make the right decision, and come out with some sort of plan of action?"
ISACA also offers a practical skills test, he added.
This is not the same as the certifications commonly seen in the industry.
"Most certifications today are just multiple choice tests where you just memorize a body of knowledge," he said. "Over the years, we've seen the advent of bootcamps, where you could study a body of knowledge for a week and cram for an exam. Many employers have lost faith in these types of approaches."
According to the survey, 55 percent of respondents said that a practical verification of skills was the most important quality they looked for in a candidate, while only 12 percent said that certifications were most important.
"I think in general in the security industry, many of the certifications have lost their luster and have just become minimal bars for even submitting your resume," said Schwartz.
Formal education scored even worse, with only 10 percent of respondents saying this was what they looked for first. In addition, formal education was the least cited reason for disqualifying a job candidate. "There seems to be a focus on finding people with proven skills," he said.
One survey result that surprised him, Schwartz said, was the low weight given to personal references. Only 13 percent of respondents said that this was an applicant's most important attribute.
"I think that's a really unfortunate viewpoint," he said. "In cybersecurity, because it's such a small community, a lot of the success of hiring has to do with who you know, finding people through your network, and recommending people who you know have the skills."
This story, "Quarter of firms can't fill open infosec positions" was originally published by CSO.