Don’t Take Your Next Cybersecurity Job for Granted
From ITPro Today
RSA CONFERENCE — It’s a good time to be a cybersecurity professional. There are plenty of jobs, and there is plenty of work to be done. ISACA’s 2019 State of Cybersecurity research report, released at the RSA Conference this week, found that 69 percent of companies say their cybersecurity teams are understaffed, and 58 percent have unfilled or open cybersecurity positions. Companies also are having trouble retaining cybersecurity professionals, even if they offer training and certification.
Cybersecurity pros agree, and it’s making their job more difficult. According to information presented at an RSAC session called “Hearing Voices: The Cybersecurity Pro’s View of the Profession,” about one-third of cybersecurity professionals say the cybersecurity staff at their company is understaffed for the size of the organization. The data comes from a new survey developed by the Information Systems Security Association (ISSA) in conjunction with analyst firm ESG.
Clearly, it’s a seller’s market. So why should cybersecurity professionals worry?
Because problems arise when it’s time to change jobs, which cybersecurity pros often want to do to earn more money, find a better culture or environment, or take on new challenges.
“Some people go through their entire career as a ‘cybersecurity professional’ without ever having touched a packet, done forensics, or had much technical hands-on experience, and that’s what companies want today,” said Frank Downs, director of cybersecurity practices at ISACA. “Companies today are looking for on-the-ground skills and experience.”
If you don’t have the type of practical skills companies want in cybersecurity professionals, it’s past time to get them. And the best time to do it is when you’re still fairly happy with the job you have. According to research from ISSA, the most in-demand areas of cybersecurity include cloud computing security, application security, security analysis and investigation, and risk and/or compliance administration.
Ideally, your company will pay for you to take training courses and earn certifications, but if they don’t, consider your money a deposit against future earnings. ISSA found that the most valuable certifications for cybersecurity pros are CISSP, CISM, CompTIA Security, CISA, and CEH. Ideally, any training program will incorporate hands-on experience.
“Cybersecurity pros also should be innovative by learning from peers as well as virtually,” said Candy Alexander, ISSA’s international president and virtual CISO. “It’s the best way to gain the knowledge to ‘fight the good fight” as new risks and technologies are identified.”
In addition to taking training courses and earning certifications, it’s important to understand the business. The ISACA survey found that the biggest skills gap for today’s cybersecurity professional is the ability to understand the business.
“Companies want technical people, but they also want them to understand how technology impacts the business, along with the organizational structure. And they want them to be effective communicators,” Downs said. “It’s like they are looking for a purple unicorn, but if you can be that purple unicorn, you’ll go far.”
With these skills, cybersecurity pros should have their pick of jobs, along with excellent job security. Because there are so many open positions, they can afford to be picky, and they should, Alexander said.
“Cyber pros should be looking for a place that understands their …