Cybersecurity is all over the news lately, from Yahoo sending out warnings to users regarding potential malicious activity on their accounts, to  Apple routinely sending out updates to iOS to patch vulnerabilities. Because of this, it’s no surprise that organizations are working to fill information security roles.

But they are running into a problem when doing do: There aren’t enough qualified applicants to fill these openings.

That’s the key finding from information systems association ISACA’s recently released State of Cyber Security 2017 [PDF] report.

“On average, 59 percent of enterprises get at least five applicants for each open cybersecurity position, but most of these applicants are unqualified,” the report states.

Most organizations surveyed are focused on hiring cybersecurity experts who have hands-on experience and certification rather than formal education. But, according to the report,  in a newly burgeoning field, that’s hard to find.

“Almost 27 percent of respondents state that they are unable to fill open cybersecurity positions in their enterprises—with another 14 percent of respondents unaware as to whether their enterprises could fill these positions or not,” the report states.

In addition, more than one-in-four companies report that the time to fill priority cybersecurity and information security positions can be six months or longer. “Not having security is basically like leaving your door open. Imagine leaving your door open or security alarm off for six months because you can’t fill a security position,” Eddie Schwartz, DarkMatter’s executive vice president of cyber services, as well as an ISACA board member, told eWeek.

So what’s the best way for your association to find the right person to keep your members’ information safe?

In a press release, ISACA outlines five steps organizations should take to find and retain cybersecurity experts.

Among them: “Create a culture of talent maximization to retain the staff you have.” Investing in both personnel growth and technical competency is one way this can be done.

ISACA also recommends training current staff with related skills to move into cybersecurity roles. “They are likely to be highly incented to do so, and it can help fill the gap in the long term. Having a path in the organization to do this can be a solid investment, as it can be cheaper to fill those gaps and help support employee morale.”

The full report can be read here [PDF].