Organizations have placed a significant focus on filling cybersecurity positions, seeking professionals with the right background to address technical security tasks and facilitate the success of broader business goals.
As cybercriminals continue to develop sophisticated attacks and business leaders aim to drive digital transformation efforts forward, a well-equipped security team is essential to the success of an organization. Together, these two trends have changed the skills and abilities that CISOs and other executives seek when hiring security talent.
Similar to the changes happening at the CISO level, which is now taking on a business enablement role, we are now seeing a shift occur for those seeking Security Architect positions.
A New Study on the Security Architect Recruiting ProcessThe role of Security Architect, who is tasked with building security infrastructures that not only responds to but can also anticipate threats, has traditionally drawn applicants that demonstrate hard, tactical skillsets. However, CISOs are increasingly focusing on candidates that share a balanced mix of hard and soft skills, as indicated by a recent Fortinet study.
Cybersecurity is an extremely competitive field due to the cyberskills shortage , an issue that goes beyond a lack of incoming talent but also encompasses those in the field without the skills necessary to meet today’s specific needs. To this end, the Security Architect Skill Gap Report illuminates the information needed to minimize the impact of this skills shortage. This is done by providing CISOs with the data and context needed to hone their recruiting process for Security Architects while demonstrating how applicants must adapt to evolving business requirements.
The Skills CISOs Are Looking for In Security ArchitectsAs CISOs aim to build out their security teams with professionals who can combat modern cyberattacks and secure their digital transformation efforts, they seek a variety of hard and soft skills that highlight strategy and analysis in addition to traditional design and configuration abilities. While these requirements may vary across organizations based on specific needs, there are a few trends worth noting.
Hard SkillsetsCISOs require candidates to be proficient in risk management and security standards, as well as an understanding of business goals and how they will translate into security practices. These types of skills were mentioned more often in Security Architect job ads than tactical abilities such as encryption, firewalls, or security controls.
This is indicative of the need to focus on security in conjunction with business enablement. However, this does not mean that CISOs have stopped looking for technical skills and experience with specific systems altogether.
Among the top hard skillsets that organizations are looking for in Security Architect applicants include:
Security architecture Risk Management Integration Security Standards Encryption Firewalls Security Controls Soft SkillsetsAs security teams play a greater role in business enablement, CISOs also seek candidates with demonstrated
abilities in the soft skillsets necessary to collaborate and strategize across lines of business. The data shows that the soft skills referenced in Security Architect job ads and responding resumes typically fall into four categories:
Analytical: Analysis, research, and problem solving Leadership: Planning, mentoring, leading Personal Characteristics: Integrity, focus Communication / Interpersonal: Interpersonal, collaboration, communicationsThe data indicates that CISOs are now looking for candidates that are comfortable shifting between strategic and tactical tasks. For example, preparing for or responding to a security incident without ignoring important ongoing strategic tasks such as conducting risk assessments or defining secure approaches for cloud adoption.
Additional FactorsIn addition to hard and soft skills, there are several other qualifications that are factored in when evaluating applicants for today’s Security Architect positions. Two of these considerations are education/certifications and career tenure.
Typically, organizations request that Security Architects have a bachelor’s degree, and do not necessarily look for higher forms of education. Employers also often request on average two certifications, which may be in practices applicable to the specific needs of the positions.
Career tenure is another consideration in the hiring process. Many applicants for Security Architect positions are considered mid-career, having been in the workforce for an average of 18.8 years. The data also shows that job hopping remains an issue as personnel poaching grows in response the growing skills gap, with the average candidate having 1.8 jobs over the last two years. This shows that CISOs must be strategic in their retention strategies in such a high-demand industry.
The Skills Gap Between Recruiters and CandidatesThis data, revealed through analysis of thousands of job ads and responding resumes for Security Architect positions, also uncovered discrepancies between the skills CISOs are searching for and how prospective candidates market themselves in resumes and cover letters. This occurs for both hard and soft skills.
Rather than focusing on strategic skills such as risk management, applicants tend to only emphasis the specific technology and systems they are familiar with, such as experience with SQL, Oracle, or VPNs. Additionally, applicants often call out familiarity with industry standards, such as ISO and NIST, but don’t provide evidence of the strategies used to apply the knowledge in their jobs. In fact, fewer than half of applicants include strategic skills on their resumes.
While many applicants emphasize leadership capabilities, they often under-represent other crucial soft skills. Applicants commonly include leadership and planning on their resumes thinking that is what prospective employers want to see most for soft skills. However, in addition to these skills, most employers frequently include analytical and communication skills as key requirements in their job listings.
Final Thoughts
Security roles are evolving, moving from tactical to strategic business enablement positions. This means that CISOs looking to fill these positions, as well as applicants seeking to be hired, must adjust how they present their requirements and qualifications.
Security Architect applicants must be sure to include their soft skillsets on their resumes. Additionally, when it comes to showcasing hard skillsets, they must incorporate strategic abilities in addition to mentioning tactical skills in specific systems.
Likewise, in job listings CISOs must use exact language that defines the specific hard and soft skills they seek. This will ensure they attract candidates who can meet strategic,
