the security administrator: providing frontline protection · soft skills quadrants, though skills...

The Security Administrator: Providing Frontline Protection

REPORT

Understanding the Cybersecurity Skills ShortageAn Analysis of Employer and Jobseeker Skills and Occupational Demographics

2

Table of Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

What Skills Matter to Employers: Analysis of Job Listings . . . . . . . . . . . . . . 4

Top Skills—Hard, Soft, and in Aggregate . . . . . . . . . . . . . . . . . . . . . . . . 4

Soft Skills Quadrants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Examining the Candidate: Security Administrator Resumes . . . . . . . . . . . . . 6

Top Skills—Hard, Soft, and in Aggregate . . . . . . . . . . . . . . . . . . . . . . . . 6

Soft Skills Quadrants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Analyzing the Gaps Between Employers and

Security Administrator Jobseekers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Hard Skills Deviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Soft Skills Deviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Education and Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Career Tenure and Job-Hopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Gender Gap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Concluding Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3

REPORT | The Security Administrator: Providing Frontline Protection

Executive SummaryThis report is a part of a series that analyzes various IT and cybersecurity occupations using natural language processing (NLP).1 This particular study examines the role of security administrator from the vantage point of both employers and jobseekers. Findings show that the security administrator is seen as a key professional member of the security team, with responsibilities requiring broad tactical skills and a keen understanding of strategy.

Core takeaways from the analysis include:

Employers

nn Employers mention hard skills much more often than soft skills, with only one of the 20 most cited skills identified as a soft skill.

nn Hard skills referenced in job ads tend to be tactical in nature, such as maintenance, software, and testing.

nn The few soft skills cited by employers tend to be relatively balanced across the four soft skills quadrants, though skills from the Leadership Quadrant are the least cited.

nn Problem solving, complexity, and integrity are the most cited soft skills.

Jobseekers

nn Candidates seeking security administrator roles heavily emphasize tactical hard skills, with installation, software, testing, and maintenance mentioned on more than half of resumes.

nn As with employers, the few soft skills that are mentioned on resumes span the four soft skills quadrants, with research, integrity, and customer service topping the list.

Comparison of Employers vs. Jobseekers

nn All of the top 20 overemphasized skills on security administrator resumes are hard skills, and almost all of them are tactical in nature. Installation is mentioned 52% more often in resumes than in job ads.

nn Jobseekers most commonly fail to include a few specific strategic hard skills and soft skills that are requested on job ads. Procedure management is by far the most underemphasized skill.

nn One specialized skill—experience with DISA STIG—is underemphasized by 15% and probably reflects a skills gap in the marketplace.

Demographics

nn Employers prefer security administrator candidates with a degree—presumably a bachelor’s degree—and the majority of jobseekers list one on their resumes. Further, applicants tend to list more certifications on their resumes than employers request.

nn Jobseekers, on average, have had just 1.3 jobs over the past two years, and 1.8 jobs in five years, reflecting the lowest rate of job-hopping among the nine occupations we surveyed for this series. The typical resume reflects a 21-year length of career to date.

nn 17% of the resumes we studied belong to women—more than any other role we analyzed. And, with that in mind, job listings include more female-oriented terms than male-oriented ones.

About This Series

This report series is based on an analysis of thousands of job ads and resumes using natural language processing (NLP) to highlight skill-set gaps (including hard and soft skills), educational attainment and certifications, average career tenure, and gender breakdown. The result is actionable insights for executives and board members that can help them hone their recruiting approach and hire the most qualified candidates.

The security administrator role is the least senior of the nine occupations we surveyed for this series, but our data shows that they play a key role in the trenches of cybersecurity protection.2

Mistakes they make can potential cost their employers dearly, and both employers and jobseekers seem well aware of this. Like all cybersecurity occupations, security administrators are in high demand, and their managers will do well to be proactive about retaining existing talent.

4


This report covers the security administrator role, typically a frontline, individual contributor role on the IT security or security operations teams. We identified hundreds of distinct skills in the security administrator resumes and job listings we analyzed. The average job ad included 20 unique skills, while the average resume referenced just over 21 unique skills. Outliers in both groups listed as many as 40 skills on job ads and 50 on resumes.

What Skills Matter to Employers: Analysis of Job ListingsMaintenance, software, and testing are tied for the top slot among the security administrator skills most cited by employers, each appearing on 53% of job listings (Figure 1). Two other skills appeared on more than 40% of ads—compliance and Windows. Overall, 19 of the 20 most cited skills are hard skills. Problem solving is the lone soft skill on the list, appearing in 28% of listings. The job descriptions accurately portray the tactical and technical nature of this occupation.

Top Skills—Hard, Soft, and in Aggregate

The most cited hard skills suggest a role that is tactical in nature, but this does not imply that the security administrator should lack an understanding for the big picture. For example, compliance (45%) and procedure management (38%) require a broader understanding of systems and strategies. However, familiarity and proficiency with the different parts of the IT and security infrastructure are primary for this role.

Among specific soft skills, nine appear on 15% or more of job listings. This diverse list of soft skills includes complexity, integrity, leadership, and planning. These skills suggest that the successful candidate will have the ability to think on his or her feet, step in and provide leadership when needed, and assist with strategy. This makes sense, considering that security administrators frequently show up as key influencers across different cybersecurity decision-making titles when it comes to selecting security solutions (e.g., CIO, CISO, CFO, security architect, et al.).4 That said, it should be noted that these skills are on a distinct minority of job ads. In fact, the average ad only contains three soft skills, and some contain none.

“Security administrators have a distinct skill from other IT

administrators, which makes the job a stressful yet rewarding career.”3

Rank Top Hard and Soft Skills Combined Top Hard Skills Top Soft Skills

1 Maintenance (53%) Maintenance (53%) Problem Solving (28%)

2 Software (53%) Software (53%) Complexity (20%)

3 Testing (53%) Testing (53%) Integrity (20%)

4 Compliance (45%) Compliance (45%) Leadership (18%)

5 Windows (43%) Windows (43%) Planning (18%)

6 Operating Systems (38%) Operating Systems (38%) Scheduling (18%)

7 Procedure Management (38%) Procedure Management (38%) Analytics (15%)

8 Documentation (35%) Documentation (35%) Interpersonal (15%)

9 Training (35%) Training (35%) Time Management (15%)

10 Hardware (33%) Hardware (33%) Communications (13%)

11 Linux (33%) Linux (33%) Evaluation (13%)

12 Firewall (30%) Firewall (30%) Collaboration (10%)

13 Troubleshooting (30%) Troubleshooting (30%) Customer Service (10%)

14 Networks (28%) Networks (28%) Liaising (10%)

15 Patching (28%) Patching (28%) Prioritization (10%)

16 Problem Solving (28%) Installation (25%) Research (10%)

17 Installation (25%) Security Policies (25%) Writing (10%)

18 Security Policies (25%) Active Directory (23%) Change Management (8%)

19 Active Directory (23%) Logs (23%) Efficiency (8%)

20 Logs (23%) Network Security (23%) Accuracy (5%)

Figure 1: Top 20 hard and soft skills for employers.

5


Soft Skills Quadrants

Despite the paucity of soft skills in job ads, they are cited in a fairly balanced way when divided into four quadrants. Skills in each quadrant appeared in the top nine, cited in 15% to 28% of resumes:

nn Leadership Quadrant: leadership, planning

nn Analytical Quadrant: problem solving, complexity, analytics

nn Communications/Interpersonal Quadrant: interpersonal

nn Personal Characteristics Quadrant: integrity, scheduling, time management

Two of these quadrants—Personal Characteristics and Communications/Interpersonal—have at least one skill mentioned in half or more of job ads (Figure 2). And while Analytical Quadrant skills are mentioned on only 45% of listings, those that do include them often list more than one, resulting in an average of 1.0 Analytical Quadrant skills per job ad.

The prevalence of problem solving over all other soft skills suggests a desire on the part of employers for a team member who can work independently with minimal hands-on supervision and direction. The other soft skills depict a security administrator who can work as an integral part of a team and perform a variety of tasks in an efficient and effective way.

Analytical

Personal Characteristics

Leadership

Communications/Interpersonal

Figure 2: Job ad soft skills quadrant matrix.

1.0

0.9

0.5

0.7

45%

60%

30%

53%

Average Skills Per Job Ad




Occurrence in Job Ads




0-1

0

0

1+

0

1-2

1

2+

3-5

2+

Number of skills in job ads




6


Examining the Candidate: Security Administrator ResumesLike the employers whose job ads they are perusing, security administrator jobseekers heavily emphasize hard skills on their resumes (Figure 3). Only two soft skills appear in the top 20 skills cited—leadership (27%) and planning (26%). Installation is by far the most cited skill, appearing on 78% of resumes. Other skills appearing in more than half of resumes include software, testing, and maintenance.

Top Skills—Hard, Soft, and in Aggregate

Hard skills cited on resumes are weighted toward tactical experience, which is to be expected for workers at the individual contributor level. A look at the top hard skills shows at least two categories of tactical skills:

nn Administrative tasks such as installation, testing, maintenance, and troubleshooting

nn Familiarity with different elements of the IT infrastructure such as software, hardware, Windows, and Active Directory

Two exceptions to this rule are training (47%) and compliance (38%), which can be construed as more strategic.

As with job ads, soft skills are much less commonly cited than hard ones, with only three soft skills per resume on average. In addition to the aforementioned leadership and planning skills, five others appear on more than 20% of resumes: research, integrity, customer service, liaising, and scheduling.

Rank Top Hard and Soft Skills Combined Top Hard Skills Top Soft Skills

1 Installation (78%) Installation (78%) Leadership (27%)

2 Software (67%) Software (67%) Planning (25%)

3 Testing (57%) Testing (57%) Research (24%)

4 Maintenance (51%) Maintenance (51%) Integrity (23%)

5 Hardware (47%) Hardware (47%) Customer Service (22%)

6 Training (47%) Training (47%) Liaising (22%)

7 Windows (47%) Windows (47%) Scheduling (22%)

8 Active Directory (42%) Active Directory (42%) Complexity (18%)

9 Troubleshooting (42%) Troubleshooting (42%) Communications (16%)

10 Compliance (38%) Compliance (38%) Efficiency (14%)

11 Documentation (35%) Documentation (35%) Change Management (12%)

12 Firewall (35%) Firewall (35%) Time Management (12%)

13 VPN (31%) VPN (31%) Business Process (11%)

14 Networks (30%) Networks (30%) Writing (10%)

15 Reporting (30%) Reporting (30%) Evaluation (8%)

16 Leadership (27%) Security Policies (26%) Mentoring (8%)

17 Planning (25%) UNIX (24%) Accuracy (7%)

18 Security Policies (26%) Configuration (24%) Prioritization (7%)

19 UNIX (24%) Routers (24%) Analytics (6%)

20 Configuration (24%) Technical Support (24%) Problem Solving (4%)

Figure 3: Top hard and soft skills for jobseekers.

7


Soft Skills Quadrants

When soft skills are divided into quadrants, jobseekers distribute soft skills fairly evenly across the quadrants (Figure 4). Skills from three quadrants—Analytical, Personal Characteristics, and Communications/Interpersonal—are cited at least once on just over half of resumes. Leadership Quadrant skills are cited on 45% of resumes. On average, each quadrant is cited just under one time per resume. With hard skills predominating, the broad mix of soft skills mentioned on resumes depicts professionals who excel at their duties and interact well with colleagues.

Analytical

Personal Characteristics

Leadership

Communications/Interpersonal

0.7

0.9

0.7

0.7

52%

51%

45%

51%

Average Skills Per Resume




Occurrence in Resumes




0

0 0

1

1 1

2+

0

1

2+

2+ 2+

Number of skills in resumes




Figure 4: Resume soft skills quadrant matrix.

8


Analyzing the Gaps Between Employers and Security Administrator JobseekersJobseekers and employers list a similar number of total skills, and soft skills comprise an average of three of those skills for both groups (Figure 5). However, there are significant differences in the specific skills referenced. The most glaring gap is a skill overemphasized by jobseekers—installation, which appears on 52% more resumes than job ads. Among skills from job ads that are missing on many resumes, procedure management tops the list with a gap of 36 percentage points (Figure 6).

It is interesting that jobseekers overcite a very tactical skill by such a large margin, while missing a more strategic one. As security becomes more complex, process management will be a bigger part of the security administrator’s role.

Figure 5: Average number of skills per job ad and resume.

for Employers Per Job Ad



for Jobseekers Per Resume



20 17 3

21 18 3

Total Unique Skills Hard Skills Soft Skills

9


Hard Skills Deviations

Given that hard skills comprise the bulk of skills mentioned by both employers and jobseekers, it is not surprising that hard skills represent most of the deviations. Operating systems in general, and Linux in particular, are significantly undercited by jobseekers. Another important niche requirement is experience with the Defense Information Systems Agency’s Security Technical Implementation Guides (DISA STIGs)—cited on 13% fewer resumes than job ads. It seems likely that candidates will mention such experience when they have it, so this suggests a skills gap in the marketplace.

Besides installation, mentioned above, a number of other tactical hard skills are cited on significantly more resumes than job listings: wireless, VPN, IBM, configuration, technical support, and Active Directory. These skills tend to be more commoditized, and some are so common in this occupation that mentioning them adds very little to a resume.

Soft Skills Deviations

While the top 20 skills overemphasized by jobseekers do not include any soft skills, a few soft skills are missing from a significant number of jobseekers’ resumes. Problem solving (24% gap) and interpersonal skills (15% gap) top that list. Coming from a technical background, it may not occur to many security administrators that mentioning such skills on their resumes would benefit them.

Skills Cited by Employers More Often Skills Cited by Jobseekers More Often

Procedure Management (36%) Installation (52%)

Problem Solving (24%) Wireless (23%)

Operating Systems (18%) VPN (21%)

Linux (17%) IBM (20%)

Interpersonal (15%) Configuration (19%)

DISA STIG (13%) Technical Support (19%)

Data Protection (12%) Active Directory (19%)

Patching (12%) Desktops (17%)

Collaboration (10%) UNIX (17%)

Network Protocols (10%) LAN (16%)

Analytics (10%) Oracle (16%)

Security Awareness (10%) SOX (15%)

Vulnerabilities (10%) Reporting (14%)

Compliance (8%) Hardware (14%)

Python (8%) Software (14%)

Security Best Practices (8%) Research (14%)

Access Management (7%) Routers (14%)

Intrusion Detection System (7%) SQL (13%)

Business Continuity (7%) DNS (12%)

Proactiveness (6%) DHCP (12%)

Figure 6: Percent difference in top 20 skills listed by employers and jobseekers.

10


Education and CertificationBased on our analysis of job ads, employers tend to require a single college degree in security administrator job listings. This would presumably be a bachelor’s degree, although some may require an associate’s degree as a minimum. The average resume lists 0.8 degrees, meaning that most but not all applicants have a degree.

In terms of certifications, employers on average ask for 1.6 certifications, while security administrators list 2.8 certifications on their resumes. Of course, specific jobs require specific certifications, so it behooves applicants to include all their certifications on their publicly posted resumes.

Career Tenure and Job-HoppingApplicants for security administrator roles started their careers an average of 21 years ago, when common use of the internet was relatively new and corporate IT networks were being built. Given that they are potentially applying for another individual contributor role, they seem to see themselves as well-suited for work at this level.

Jobseekers we analyzed have had an average of 1.3 jobs in the past two years and 1.8 jobs in the past five years (Figure 7). While the security administrator role is relatively commoditized and one would expect a fair amount of turnover, these numbers actually reflect the second lowest rate of job-hopping among the nine IT security occupations we surveyed.

The data is mixed as to whether job-hopping is getting worse in the overall economy.5 There is some evidence that the problem decreases with age and tenure,6 but our finding that this lower-level occupation has such a low turnover rate suggests that the issue is more complicated than demographics. Job-hopping is undoubtedly costly to companies when it does happen, and those with cybersecurity skills will be a target for competitors for the foreseeable future.

Figure 7: Job tenure in resumes.

Gender GapThe gender gap in technology is widely noted with concern.7 This is unfortunate, because women as a group tend to excel at many of the soft skills that are now recognized as crucial in the field. Of the resumes we randomly selected and analyzed for security administrator positions, 17% belonged to women—a higher percentage than with any other occupation we surveyed. This is not surprising given that this is the least senior role we studied, and the fact that the percentage is so low for such a role is a cause for significant concern.

Resumes belonging to women tend to list significantly more soft skills overall—and more soft skills in each quadrant—than their male counterparts. Interestingly, female-oriented terms outnumber male-oriented terms on security administrator job listings (Figure 8)—something that occurred with only two of the nine of the occupations we surveyed. At least for this less-senior position, employers have figured out that they should include more female-oriented terms such as “collaborate,” “support,” and “mentor” alongside male-oriented terms such as “strong” and “leader.”

Average years since first job

Number of jobs in past 2 years

Number of jobs in past 5 years

Number of total jobs on resume

21

1.3

1.8

4.7

11


1 “The CISO Ascends from Technologist to Strategic Business Enabler,” Understanding the Cybersecurity Skills Shortage: An Analysis of Employer and Jobseeker Skills and Occupational Demographics, Fortinet, August 15, 2018.

2 “How to become a Security Administrator,” InfoSec Institute, accessed May 10, 2019.

3 Ibid.

4 Based on network security persona research conducted by Fortinet.

5 David Weedmark, “Career Tenure and the Myth of Job Hopping,” The Balance Careers, March 4, 2019.

6 “2018 Job Hopping Report: An Analysis of Job Ads and Resumes,” LiveCareer, accessed October 17, 2018.

7 Gillian Tans, “Why it’s vtal we close the tech gender gap,” World Economic Forum, January 19, 2018.

8 “Fortinet Security Fabric Powers Digital Transformation: Broad, Integrated, and Automated,” Fortinet, March 29, 2019.

References

Concluding ThoughtsAs the threat landscape gets more complex and threat response becomes more urgent, the security administrator becomes an increasingly important frontline worker to ensure protection of sensitive data and uptime for critical systems. As CISOs take steps to integrate their security architecture and automate security processes, this role’s focus will become more strategic, with the potential for frontline workers making policy recommendations informed by their broad vantage point. Companies will do well to seek well-rounded technologists for this role, and jobseekers will do well to emphasize their soft skills and their strategic experience on their resumes.

In today’s enterprise, the security administrator will not be successful without a broad, integrated, and automated security infrastructure. The Fortinet Security Fabric enables security teams to focus on proactive threat prevention rather than reactive remediation. For more information on the Fortinet Security Fabric, check out the white paper, “Fortinet Security Fabric Powers Digital Transformation.”8

Figure 8: Gender-oriented language in security administator job ads.

Male-Gendered Terms Per Job Ad

Female-Gendered Terms Per Job Ad

2.7 4

https://secure.fortinet.com/LP=5393?elq_src=Social&elq_cid=70134000001Xc8dAAC&elq_staid=10&elq_eid=12054&elq_sid=13834

https://resources.infosecinstitute.com/job-titles/security-administrator/#gref

https://www.thebalancecareers.com/job-tenure-and-the-myth-of-job-hopping-2071302

https://www.livecareer.com/job-hopping

https://www.weforum.org/agenda/2018/01/close-the-tech-gender-gap-gillian-tans/

https://www.fortinet.com/content/dam/fortinet/assets/white-papers/wp-security-fabric.pdf

Copyright © 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

www.fortinet.com

June 27, 2019 11:58 PM

D:\Fortinet\Work\2019\June\062719\report-security-administrator242791-0-0-EN

the security administrator: providing frontline protection · soft skills quadrants, though skills...

Documents