The Catch-22 that has affected the cybersecurity profession since its inception remains a serious problem, according to a newly released report . To get a job in cybersecurity, many organizations require hands-on experience, but gaining that experience requires having a previous cybersecurity position in the first place.

This conundrum is a challenge cybersecurity talent is fighting to overcome. The report is based on a study of 327 cybersecurity professionals in late 2019 and early 2020 by the Enterprise Strategy Group (ESG) for the Information Systems Security Association (ISSA). The findings underscore the need for more training and certification, and more creative approaches by hiring managers to find talent in unexpected places.

“There is a continuous lack of training, career development, and long-term planning. As a result, cybersecurity professionals often muddle through their careers with little direction, jumping from job to job and enhancing their skillsets on the fly rather than in any systematic way. This, combined with the continued cybersecurity skills shortage, has stalled cybersecurity progress,” the report says.

According to the report, cybersecurity skills have deteriorated for four consecutive years, putting at risk the operations of 70% of the organizations represented in the study. The issue, according to the study, is a combination of lack of training and the skills gap, which by (ISC)²’s estimate requires more than 4 million additional cybersecurity staffers worldwide.

However, (ISC)² research also paints a much less grim picture of the career satisfaction levels cybersecurity professionals report. According to the 2019 Cybersecurity Workforce Study , more than half (56%) of the 3,237 cybersecurity respondents indicated that they are either “exactly” or “very close” to where they were expecting to be in their careers. An additional 66% were either “very” or “somewhat” satisfied with their current jobs.

Training and Certification

The ESG report makes a strong case for “continuous cybersecurity education and professional development,” starting at the public education level. Also needed are “a comprehensive globally accepted career development plan, and career mapping against multiple business disciplines to weave cybersecurity within the business.”

Ongoing career training is key. Asked what advice they would give to someone interested in a cybersecurity career, respondents listed finding a mentor, getting cybersecurity certifications and seeking out internships for hands-on experience as their top three recommendations.According to the study, the most popular certification and “most important for getting a cybersecurity job” is the CISSP , which demonstrates that cybersecurity professionals have the skills to effectively design, implement and manage a best-in-class cybersecurity program. Not surprisingly, (ISC)² has found that CISSP-certified professionals are the most sought-after around the world.

And although cybersecurity professionals aren’t primarily motivated by compensation, those who earn CISSP certifications tend to command healthy salaries. (ISC)² research shows the average salary globally is $75,212 and $102,326 in North America.

This is not to say that the CISSP should be a requirement for every cybersecurity role though. The reality is that most entry- and even mid-level staffers will not have the requisite five years of cybersecurity experience needed to attain the certification. But hiring managers who overlook strong candidates because they are lacking certain letters after their names may be missing out on talented hires that could benefit their teams. Hiring for aptitude and the ability to learn and grow should outweigh certification requirements for many positions.  

Aspiring cybersecurity professionals can still help themselves by getting as much hands-on experience as possible and seeking out ways to advance their careers. Becoming CISSP-certified is also helpful if the shoe fits.