Three-quarters of organizations experience difficulty attracting qualified IT security candidates, a recent survey found.

According to the “Staffing the IT Security Function in the Age of Automation” report, sponsored by DomainTools and conducted by the Ponemon Institute, just one-quarter of IT and security practitioners said their organization has no trouble finding qualified candidates. That’s down from 34 percent in 2013.

The retention rate of skilled professionals is slightly better at 28 percent, a figure that slid from 42 percent five years prior. Even so, more personnel said their organization’s security functions were understaffed in 2018 (75 percent) compared to 2013 (70 percent).

IT Security Staffing Weighed Down by the Skills Gap

The Ponemon Institute surveyed 615 IT and security professionals for the study. Their responses provided insight into how and why organizations are failing to keep up with their staffing duties.

The survey traced part of the problem to hiring managers’ high expectations regarding the education, knowledge and requisite skills of job candidates. For instance, more than half (55 percent) of respondents said their organization expects applicants to hold either a master’s or bachelor’s degree in IT security or a related field. Meanwhile, 52 percent reported that their employer looks for candidates with professional certifications, such as Certified Information Systems Security Professional (CISSP).

Ponemon found that organizations don’t go easy on entry-level applicants, either. Respondents said their employer requires candidates to possess an understanding of cybersecurity threats (39 percent), intrusion detection and prevention systems (19 percent), and security standards and frameworks (18 percent).

Similarly, 25 percent of respondents revealed that their organization looks for entry-level individuals who can maintain security records for incident response activities, while slightly fewer participants said the same about the ability to evaluate malware (21 percent) and perform threat analyses (18 percent).

The above percentages were all higher with respect to attracting experienced professionals.

Reasons for Staffing Failures

The survey suggested that common hiring practices may be contributing to the cybersecurity skills shortage. Just 24 percent of respondents said their employer views IT security as a viable career path, for example, while 39 percent of IT practitioners said their organizations offer generous compensation packages.

Looking ahead, Joseph Carson, chief security scientist at Thycotic, asserted that companies’ staffing woes won’t improve with the acceleration of automation, artificial intelligence (AI) and machine learning. He noted that such developments require “constant human cognitive input” to make sense of what’s going on. As a result, he explained that companies need to invest more in human security personnel to make the most of automation.

“Don’t expect to get any value out of AI or machine learning–powered tools if you do not have sufficiently skilled staff to use them correctly,” Carson said, as quoted by Infosecurity Magazine. “These tools will only be as good as the humans interpreting the output.”

At the same time, Ponemon suggested that organizations can overcome some of their staffing challenges by looking past candidates’ technical skills and urged prospective IT professionals to recognize the importance of on-the-job experience when applying for a security role.