Addressing the Security Skills Gap
Addressing the Security Skills Gap
There’s no disputing we have more open security positions than we have available applicants to fill them. And, at first glance, the statistics are staggering: 3.5 million cybersecurity jobs will be available yet unfilled by 2021, despite ransomware attacks growing 350% year-over-year.
We sat down with senior security leaders to discuss the security skills gap and why this industry has such a troubled relationship with attracting and retaining talent.
“As an Industry We’re not Good At Uncovering People”
Bridging the talent gap isn’t an issue exclusive to security. Industries all over the world have trouble finding the right kind of talent to meet demand. Cybersecurity, however, is a particularly large offender when it comes to a lack of creativity in hiring. Slews of certifications and qualifications (like CISSP, CompTIAPenTest+, CySA+, CASP+, CEH, CISSP and CISM) and job descriptions that necessitate long tenures in previous positions (in an industry that is constantly evolving) puts immediate barriers to entry up.
Oscar O'Connor, Director of Security, isn’t entirely convinced that there even is a skills gap.
“I think our problem as an industry is that we're not very good at fishing for talent. Our recruitment processes are broken they weed out many of the people we need to attract.”
Oscar believes that these barriers to entry - often imposed by HR and recruiters ‘who look for lists of keywords’ - are stopping the best talent from understanding the career opportunities in security with the big names like BAE Systems being the only institutions with the pulling power to attract the very best talent.
But rather than competing with the powerhouses of security for the more tenured individuals, Oscar looks to education as a source of untapped talent.
For many, time spent in education is time spent towards uncovering passions. But with a serious lack of cybersecurity in formal curriculums, it becomes an uphill struggle to inspire the next generation.
“we're not good at uncovering talent. We're not good at encouraging girls. particularly. Young people coming through school that we need to go into science and technology, engineering, mathematics, security coding.”
“The Whole Business of Education Moves Too Slowly”
Now more than ever, schools are relying on their online IT and ed-tech services to help with teaching and admin tasks. Staff can play a key role in keeping these IT services (and the information they access) secure and available.
However, a recent school cyber security audit showed teachers and support staff did not feel very knowledgeable when it came to cyber security. The survey highlighted an appetite for more staff training, and new resources to help bridge this knowledge gap.
The reality of the cybersecurity situation is that it’s constantly changing. In fact, security breaches have increased by 11% since 2018 and 67% since 2014. How do you teach something that is in a constant state of evolution? For Oscar, the answer is a lot simpler than you may think.
“We just have no way of kind of envisioning what a curriculum should look like, because we don't know what the next threat is or what the next technology is. One thing we can be sure of is that it will need to be secured. Being safe. Being Secure. Being conscious. Those can be taught.”
The school cybersecurity audit certainly revealed a desire from teachers and support staff for knowledge on security matters to better educate their students - but even that presents an identity issue for cybersecurity as a career option.
“It’s Aptitude, Aptitude, Aptitude.”
The route to a top level security role is a twisting, winding path. When it comes to security everyone has a responsibility to do the right thing. For a CISO, at the very tip of the security spear, it’s about coupling technical knowledge with really good communication and stakeholder management skills.
For Tim Rawlins, Director and Senior Adviser at NCC Group Plc, success in cybersecurity can lie outside the realms of the technical.
“It's the aptitude that we're looking for and not necessarily technical expertise in any one technology or other.”
An inquiring mind, good communication skills and the ability to listen and understand your clients’ challenges - these are skills that no certificate, degree or qualification can give you and are absolutely essential to driving organisational security change instead of taking a prescriptive approach. For Bence Horvath, Director, Technology Consulting - Security at multinational professional services firm Ernst & Young those working in security has to become “the agent of change”.
“They need to get more out of their comfort zone, take a non-technical mindset when going out to the boards, diverse committees and business leadership, and say: Look guys, the changes you are trying to enact will open us up to new risks, so please consult us, include us, because in the end, you’re accountable for keeping the company, it’s employees and it’s customers safe."
A new and emerging skill that is being eyed greedily by security hiring managers is the ability to step out of the narrowly defined technical role and become this agent of change.
Perhaps unfairly, those in Tech Security are often stereotyped as being restrictive and overly concerned with process. This, more often than not, leads to them being seen as obstacles or ‘naysayers.’ For Bence, it’s crucial for a CISO to kick that stereotype quickly.
“Move from being the person always saying ‘It's not allowed. Nope. There’s no way we can do that’ to be the proactive one working with the rest of the business and with the rest of the stakeholders to come up with a solution.”
“Security is not About Just Writing A User Policy”
Surinder Lall is the VP Information Security at global media and entertainment company ViacomCBS. With well over 10 years in technology security and, with his latest role at ViacomCBS having him manage a team across four different continents, he is well placed to discuss the security skills gap on a global scale.
For Surinder, the first thing to consider when discussing the security skills gap is the split in the talent pool.
“You've got a reasonably sized portion of heavily skilled, battle-hardened security people have been in the game for 10 to 15 years. Then you've got people who have been in security for 10 to 15 years but haven’t done anything more than policy writing and then you've got people who have just transitioned from other senior roles within tech, running IT departments or being ex developers”
To begin with, this rather mixed bag of professionals entering the market at the same level, with vastly diverse skills creates a difficult situation for those looking to hire a security specialist. With no defined, clear cut guide for what makes a security professional, job specs can end up being a bit of a Frankenstein's monster of sorts.
“everything they can think of security-wise and not security-wise, they chuck it in and hope for the best. In reality, there aren't any people who have all of those skills.”
In normal scenarios, that’s where training comes in. You can train people with the soft skills, or the required skills, and move them towards an area needed for that high-level, senior security professional. All it really takes is time. But for Surinder, it’s the real-world experience that is lacking and that’s something you can’t teach. As a result, educational bodies are poorly preparing graduates for the reality of the security situation.
“And you see a lot of universities churning out security postgrads, who have never seen a corporate network before, have never experienced the chaos that comes with managing an incident across multiple time zones. They've never seen it.“
But instead of laying blame at the feet of these educational bodies, who will always have a hard time keeping up with the rate of change, Surinder looks to the image that Security has and the community that surrounds it.
“If you’re developing in C++, everyone knows C++ and all that community knows C++. Security, on the other hand, doesn’t have that community because it’s more conceptual. It’s a type of person.”
Often, the best Security professionals find themselves analysing vast amounts of data and scenarios while finding a way to mitigate risk.
“We're effectively strategists. You’ll find the most effective security people are often developers, people who have worked in engineering backgrounds, very logical, very methodical, and people able to deal with and cope with pressure.”
With such a hard to define ‘type’ the security skills gap just keeps getting bigger. With professionals not knowing what skills to develop or paths to work, and hiring managers not knowing what skills to look for.
“There are Gaps in Organisation’s Data”
Howard Pritchard is a Global CISO and Information Security, Consultant. With over 38 years of experience in cybersecurity, Howard believes the skills gap is representative of a gap in an organisation’s understanding of the types of security roles they actually need.
“Cybersecurity is all about securing the IT infrastructure and the Data that resides across it, and a linkage to the information security requirements. Many organisations get this wrong when they're asking and looking for information security people, what they are really talking about is IT resources with security skills (Cyber Security). There needs to be distinct clarity between what IT Security (Cyber Security) and Information Security are within an organisation.”
We’ve seen it before - organizations will say they want information security or want a Head of Information Security, but what they're really looking for is someone who can manage the technical aspects of the department through to operational requirements. So despite the person taking a senior position, a leadership position, within a security function, they lack the required skills to provide leadership in understanding the organisations business and operational requirements, not to mention setting budgets and aligning the Cyber Security strategy to the business and operation, therefore the real role becomes more an IT Security support to all, a firefighter that then becomes disillusioned over a period of time, not to mention burn-out from the pressures of senior management who are not educated in the differences rather wanting to see an immediate return on investment, a person who will be made a point for any potential organisational Incident/Breach, the creator of Information Security Key Metrics, not to mention the management reporting of Information and Cybersecurity risks to the regular board meetings.
This lack of understanding comes at both ends of the scale with CISO’s and Head of Information Security roles missing the trick when it comes to potential new hires for road mapping future projects and Business As Usual (BAU) activities - as Howard explains:
“When an organization's CISO says “I want to hire a new resource” what many fail to look at is whether that is actually resolving an issue or challenge, has the business/operational requirements increased that require further resources for example? or is it simply bolstering team numbers due to the latest external audit report? that end up with no direction.”
Without a proper gap analysis of the business and operational requirements and being able to build an Information security strategy aligned to that organisation, CISOs effectively become firefighters in their cause and just a label without substance.