No, it is not your imagination: good IT security help is hard to find.

So says a new survey by ISACA and RSA Conference, which reports that 82 percent of organizations expect to be attacked in 2015 – yet acknowledge that they have talent pool that is largely unqualified and unable to handle complex threats.

More than one in three companies or 35 percent are unable to fill open security positions, according to the report, The State of Cybersecurity: Implications for 2015.

Given that online security has been a brewing issue for years — and that universities and colleges have not been shy about promoting their computer science departments and degrees — it is fair to wonder what the heck is going on. Are these IT skills really that scarce and difficult to acquire?

The Dismal Big Picture

No more than IT skills typically are — but there are some other issues to consider as well, Eddie Schwartz, chair of ISACA's Cybersecurity Task Force and president and COO of WhiteOps told CMSWire.

The first is never overestimate the ability of companies to predict the future or at least their future talent needs.

"The idea that 'everyone' saw this huge need for security IT skills coming years ago is not true," he said. "Think of it like a tidal wave in the sense that it started out as a ripple in the ocean and then quietly but quickly became bigger and bigger."

It wasn’t until some of the very high-profile computer hacks of the last few years that ordinary businesses realized that they needed to get up to speed on this issue, according to Schwartz.

Another point to consider -- and one the report further highlights -- is that many companies are starting to seriously think about their security teams from a position of less than zero. The survey noted that only 16 percent of respondents feel at least half of their applicants are qualified. More than half, 53 percent, report it can take as long as six months to find a qualified candidate.

Your Perfect IT Security Worker

A business might reasonably conclude from all this that the most practical answer is to cultivate and train its in-house staff to meet its online security needs. Unfortunately, here again, the survey leaves little room for optimism.

Respondents overwhelming acknowledged that their ideal cybersecurity worker is someone with a formal education, practical experience and appropriate certifications.

"The problem is, you can't build these people overnight. It takes a few years to go through a Master's program, especially if you are doing it part time," Schwartz said.

Well, what about convincing employees in other, related tech areas to make over their career paths? That might be more doable but don’t underestimate the pitfalls involved here as well, Schwartz cautioned.

"Recruiters will tell you that if you want to convince someone to take a risk changing over her career you have to show her the career path first. You have to show her that in X amount of years she can expect to have accomplished certain things and can expect a certain level of compensation."

IT security is still too nascent for that, he added.

The Silver Lining

There are a few upsides to the report's findings, namely that security has finally made it onto the C-Suite's radar.

Some 79 percent of the respondents say their board of directors is concerned with cybersecurity.

Also, cybersecurity is clearly becoming a core focus for companies: 55 percent of the respondents report that their company has a chief information security officer and 56 percent report their firms will spend more on cybersecurity in 2015.

And here's another piece of good news, relatively speaking. Schwartz believes that this mismatch between IT security talent demand and supply will even out somewhat over the next five to ten years.

Creative Commons Creative Commons Attribution 2.0 Generic License Title image by VinothChandar.