How to Address the Problem of Shortage of Cyber Security Professionals?

QUESTION TO OUR EXPERT PANEL MEMBERS FOR THE MONTH OF AUGUST: What are your recommendations in addressing the problem of shortage of cyber security professionals?

RESPONSES:

[su_box title=”Andrew Agnes, Founding Member, Host Unknown” style=”glass” box_color=”#a45bb4″ title_color=”#060706″]Is there really a shortage of cybersecurity professionals?  I’m going to let you in on an industry secret which may take you by surprise so brace yourself;  the majority of reports produced about the low availability of “qualified” professionals are usually based on data collated and reported by global, non-profit, independent associations (or consortium’s) who are advocates for validating people’s competencies.  Well, them or recruitment agencies.

Being a participant in these survey’s in the past, I’m not casting aspersions on the intent for producing the reports or questioning the integrity of the data.  The highlights usually state a high percentage of respondents see a skills gap in their organisation, they plan to hire more people and anticipate difficulty in finding suitable candidates.

Have a look within your organisation and consider how many departments this could apply to.  Does the Sales Director want more people?  Does the Product Director want more training for their people without losing them during working hours?  When hiring, does the IT Manager expect to get the perfect candidate on the first interview?  We’re not the only industry facing these challenges.

A cyber-defence department is a new concept to many organisations.  Hiring managers have an idea of what they want and a lot of HR departments kinda / sort of know how they can confirm those skills (check the certs, man!) but that doesn’t mean the candidates they interview are a good fit because they posted a job specification to cover all angles:

—

Position: Junior Information Security Officer

Required: *Must be certified MSc – Information Security, CISSP, CISA, ISO27001LA, CEH and minimum 10 years experience in PCI-DSS regulated environments.

Preferred: Candidates with TOGAF and PRINCE2 qualifications

Other: Extra hours outside of work will be required to respond to incidents (unpaid)

Salary: Insulting base, unachievable maximum bonus tied to conditions out of your control but the opportunity to stamp your own mark on the role in this exciting, fast paced company!

Interview Process: You must be able to hack a Facebook account of my choosing

—

*Most people who run adverts like this haven’t heard of GIAC certs – no discrimination by me

If the investment in people operates at this level, what budget do you think you’re going to get for tools to assist you with your job?

The recruitment process will take longer because the unicorns being sought after, never materialise.  As the hiring manager, you learn along the way and by the third month of interviews, you understand the compromises you have to make and end up with a candidate unrecognisable from your original brief.

“Cyber” roles haven’t been around long enough for organisations to make informed decisions on their own because of the absence of reliable baseline salary data.  That has created a mismatch in the supply and demand in fulfilling those roles.

If you want someone with TOGAF, PRINCE2, an MSc, et al, then combine the salary of an Enterprise Architect, a Project Manager, the cost of a degree course plus compensation for the minimum five years of working experience to obtain the other certs and you’ll find you will receive a higher calibre candidate along with the average CV’s.

It only feels like recently we were discussing a shortage of Data Scientists (how do you use Big Data anyway?) and in the near future we’re going to be talking about a lack of “IoT Prophets” to save our cars and lightbulbs from very real threats.

If you want a workforce capable of dealing with bleeding edge situations, offer them bleeding edge remuneration packages.  Otherwise, accept that people qualified to hit the ground running will come at a cost commensurate with their skills and experience.

There is plenty of talent out there, they’re either being overlooked because of unrealistic expectations or they’re just not interested in what is on offer.[/su_box] [su_box title=”Claus C. Houmann, Head of IT, A bank in Luxembourg” style=”glass” box_color=”#a45bb4″ title_color=”#060706″]At last week’s #bsideslv conference, the organizers had included a career track which had several really great things in it:

1. Companies hiring for information security positions were present with both technical guys talking about their jobs but also their internal recruiters were present to help job seekers better know what companies need and how job seekers should present themselves
2. There were a number of very experienced Cyber Security recruiters present who did presentations and panels discussing the best way to approach a company, how to prepare for an interview + what to say, how to structure your CV, what to do career/training wise to increase your desirability to the employers
3. There were mentors that would give free career advice to the job seekers present

We need more conferences to do this, it was hugely successful. We also need more universities to push through larger amounts of students within our area and then help them get intern/training positions. And we need to reach out to companies and encourage, even incentivize them hiring or opening intern positions regularly in Information Security.[/su_box][su_box title=”Georgia Weidman, Founder and CEO, Bulb Security LLC” style=”glass” box_color=”#a45bb4″ title_color=”#060706″]The best way to address the shortage of cybersecurity professionals is to acknowledge the shortcomings in current hiring practices and augment them accordingly. As a rising graduate of a master’s program in computer science I had no problem finding a job in cybersecurity; every government contractor imaginable came to our school just to interview potential candidates with STEM credentials. However I’d be first to admit that while I could solve algorithm problems on paper and could write a dissertation on fault tolerant operating systems, at the time I had very little hands-on knowledge. In my capacity as an instructor at security conferences and a mentor in the hacker community I regular find passionate, driven candidates who are unable to get their foot in the door because they don’t have a college degree. I see the same problem with theoretical certifications. While they show a candidate can memorize the answers from a study guide, they don’t begin to give the whole picture. As long as HR departments are flagging resumes solely based on the presence of certs and degrees some of the best candidates with the most potential and commitment will continue to be overlooked. These resume buzz words so to speak need to be augmented with additional indicators such as speaking at local events such as Security Bsides, or giving a class at a hackerspace.[/su_box][su_box title=”Charles Sweeney, CEO, Bloxx” style=”glass” box_color=”#a45bb4″ title_color=”#060706″]The first way to engage more young people in cybersecurity is to get them interested at an early age. The move towards bringing coding into the curriculum is a huge step in the right direction, but these kinds of skills and topics need to be made accessible for children. For a long, long time there have been library initiatives to get children reading books over the school holiday (using a sticker book to chart their progress), so why not utilise the same kind of popular scheme and apply it to online skills?

In addition, potential employers, worried about the shortage of cybersecurity trained staff  need to broaden their horizons and think about potential candidates they might not usually consider. It is not necessary to have a computer sciences degree before embarking on a career in the field; look at accountancy, who take a high percentage of English language students as they know that they can teach them them core accountancy skills, but already have a strong basis in writing and communication. Skills are transferable, and should be viewed as such.

Finally, employers need to look at the IT culture and systems that they have themselves when looking to attract cybersecurity professionals. These are people interested and passionate about technology, so make sure that you are offering tools that they can use effectively and are already familiar with. A life long Windows user is going to struggle if put in front of a Mac, and somebody working professionally in the IT space is not going to be impressed if they can’t access any cloud computing systems. Do some research, and look at the tools that are needed by a potential employee to work effectively in cybersecurity. If the average man on the street could go and buy an IT system to rival your own, it may well be time to review your hardware and what you can offer potential employees.[/su_box][su_box title=”Allan Pratt, Adjunct Faculty & InfoSecurity Strategist, Los Angeles City College & Consultant” style=”glass” box_color=”#a45bb4″ title_color=”#060706″]There are a number of ways we can address the problem of the shortage of cybersecurity professionals. First, employers need to stop looking for the “purple squirrel” – the exact skill sets they are looking for but will not find – and realize they may have to hire someone that may be qualified but not perfect.
Second, as security professionals we should create internship and apprenticeship programs from which we could develop the next generation of professionals.
And third, we should also look at those who are in the process of changing careers.
I teach the CompTIA Security+ cert preparation course at a community college. The students who attend the course for the most part work in a corporate setting and are looking to change careers or move up. Many of these individuals are very bright and would do well in the infosec field, but business intelligence, regardless of the industry, is an important tool for anyone to understand today’s cybersecurity environment. Understanding what is going on in the world of business, both public and private, is just as important as knowing what to look for during a vulnerability scan. I have read that if we don’t get students interested in the field of cybersecurity by high school, then it’s too late. I ask why? Why throw away an entire generation of people because they had the misfortune of being born before cybersecurity ever became an issue? In the cyber “cold war” being fought today, with all of the major breaches that occur on an almost daily basis, shouldn’t we have as many hands on deck as possible? There is a lot to be said about having someone mature in a decision-making role. But it’s not just a shortage of cybersecurity professionals, it is now a crisis.[/su_box]To find out more about our panel members, please visit the biographies page.