Organizations have placed a significant focus on filling cybersecurity positions, seeking professionals with the right background to address technical security tasks and facilitate the success of broader business goals.
As cybercriminals continue to develop sophisticated attacks and business leaders aim to drive digital transformation efforts forward, a well-equipped security team is essential to the success of an organization. Together, these two trends have changed the skills and abilities that CISOs and other executives seek when hiring security talent.
Similar to the changes happening at the CISO level, which is now taking on a business enablement role, we are now seeing a shift occur for those seeking Security Architect positions.
A New Study on the Security Architect Recruiting Process
The role of Security Architect, who is tasked with building security infrastructures that not only responds to but can also anticipate threats, has traditionally drawn applicants that demonstrate hard, tactical skillsets. However, CISOs are increasingly focusing on candidates that share a balanced mix of hard and soft skills, as indicated by a recent Fortinet study.
Cybersecurity is an extremely competitive field due to the cyberskills shortage, an issue that goes beyond a lack of incoming talent but also encompasses those in the field without the skills necessary to meet today’s specific needs. To this end, the Security Architect Skill Gap Report illuminates the information needed to minimize the impact of this skills shortage. This is done by providing CISOs with the data and context needed to hone their recruiting process for Security Architects while demonstrating how applicants must adapt to evolving business requirements.
The Skills CISOs Are Looking for In Security Architects
As CISOs aim to build out their security teams with professionals who can combat modern cyberattacks and secure their digital transformation efforts, they seek a variety of hard and soft skills that highlight strategy and analysis in addition to traditional design and configuration abilities. While these requirements may vary across organizations based on specific needs, there are a few trends worth noting.
CISOs require candidates to be proficient in risk management and security standards, as well as an understanding of business goals and how they will translate into security practices. These types of skills were mentioned more often in Security Architect job ads than tactical abilities such as encryption, firewalls, or security controls.
This is indicative of the need to focus on security in conjunction with business enablement. However, this does not mean that CISOs have stopped looking for technical skills and experience with specific systems altogether.
Among the top hard skillsets that organizations are looking for in Security Architect applicants include:
· Security architecture
· Risk Management
· Security Standards
· Security Controls
As security teams play a greater role in business enablement, CISOs also seek candidates with demonstrated
abilities in the soft skillsets necessary to collaborate and strategize across lines of business. The data shows that the soft skills referenced in Security Architect job ads and responding resumes typically fall into four categories:
· Analytical: Analysis, research, and problem solving
· Leadership: Planning, mentoring, leading
· Personal Characteristics: Integrity, focus
· Communication / Interpersonal: Interpersonal, collaboration, communications
The data indicates that CISOs are now looking for candidates that are comfortable shifting between strategic and tactical tasks. For example, preparing for or responding to a security incident without ignoring important ongoing strategic tasks such as conducting risk assessments or defining secure approaches for cloud adoption.
In addition to hard and soft skills, there are several other qualifications that are factored in when evaluating applicants for today’s Security Architect positions. Two of these considerations are education/certifications and career tenure.
Typically, organizations request that Security Architects have a bachelor’s degree, and do not necessarily look for higher forms of education. Employers also often request on average two certifications, which may be in practices applicable to the specific needs of the positions.
Career tenure is another consideration in the hiring process. Many applicants for Security Architect positions are considered mid-career, having been in the workforce for an average of 18.8 years. The data also shows that job hopping remains an issue as personnel poaching grows in response the growing skills gap, with the average candidate having 1.8 jobs over the last two years. This shows that CISOs must be strategic in their retention strategies in such a high-demand industry.
The Skills Gap Between Recruiters and Candidates
This data, revealed through analysis of thousands of job ads and responding resumes for Security Architect positions, also uncovered discrepancies between the skills CISOs are searching for and how prospective candidates market themselves in resumes and cover letters. This occurs for both hard and soft skills.
Rather than focusing on strategic skills such as risk management, applicants tend to only emphasis the specific technology and systems they are familiar with, such as experience with SQL, Oracle, or VPNs. Additionally, applicants often call out familiarity with industry standards, such as ISO and NIST, but don’t provide evidence of the strategies used to apply the knowledge in their jobs. In fact, fewer than half of applicants include strategic skills on their resumes.
While many applicants emphasize leadership capabilities, they often under-represent other crucial soft skills. Applicants commonly include leadership and planning on their resumes thinking that is what prospective employers want to see most for soft skills. However, in addition to these skills, most employers frequently include analytical and communication skills as key requirements in their job listings.
Security roles are evolving, moving from tactical to strategic business enablement positions. This means that CISOs looking to fill these positions, as well as applicants seeking to be hired, must adjust how they present their requirements and qualifications.
Security Architect applicants must be sure to include their soft skillsets on their resumes. Additionally, when it comes to showcasing hard skillsets, they must incorporate strategic abilities in addition to mentioning tactical skills in specific systems.
Likewise, in job listings CISOs must use exact language that defines the specific hard and soft skills they seek. This will ensure they attract candidates who can meet strategic, analytical, and communications needs.
Keeping this information in mind will help minimize the impact of the skills gap by ensuring skilled security professionals are highlighting the right experiences to be noticed by organizations that need to enhance their security capabilities.
In addition to building security teams that have the necessary hard and soft skills, as threats become more sophisticated and organizations more digital CISOs, must also outfit these teams with controls that take an architectural approach to security. Fortinet’s Security Fabric offers automated and integrated protection with a single-pane-of-glass view. This provides Security Architects with the visibility they need into the tools and devices being used across the entire organization to minimize response time. This approach enables them to secure the network while maintaining strategic initiatives.
Download the Security Architect Skills Gap Report to learn more about the evolution of security positions.
Explore The CISO Collective - an online content hub and mobile application that provides CISOs with one stop to find the most relevant news and information to enable them to be more effective in their roles.