Operations // Careers & People
6/18/2014
02:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Ending Cybersecurity Labor Shortage Will Take Time

Researchers at RAND say the industry has taken the right steps, but there is still a long way to go.

Overwrought CISOs, take heart: You may be short-staffed now, but the best seeds for solving the shortage may have already been planted, and now we just need to wait for them to bear fruit.

This is one of the findings of "Hackers Wanted: An Examination of the Cybersecurity Labor Market," a new study by the RAND Corporation. The study also shows that, while the world waits for the next generation of security professionals to mature, industry is using creative ways to identify people with an aptitude for information security within the workforce. The authors further suggest that, instead of just increasing the supply of infosec professionals, we should try reducing demand for them.

Martin C. Libicki, senior management scientist at RAND and one of the authors of the report, is not surprised that the skills gap is taking time to close. "It takes a while for someone to get proficient," he says. "You might dangle a carrot in front of someone in 2010, but they won't be able to chew it until 2015."

However, Libicki was surprised by the ability of large organizations to cope with the short-term limits by using "systematic ways of going through their workforce" to find talent.

Being that all organizations must conduct security awareness training sessions anyway, some are wrapping some personality and aptitude testing into the awareness training. They look for people who have dismantled their home computer for fun -- those who like solving puzzles, finding out how things work, and learning how things could be made to fail. These diamonds in the rough (who might have degrees in English, not computer science) may be encouraged to take infosec training and consider a career change.

The trouble with training employees, of course, is that people will happily take that training and then take their newly minted skills elsewhere.

Libicki says that this is a common problem -- not unique to cybersecurity -- for most organizations, outside of the military. (As he says, knowing how to operate an aircraft carrier isn't likely to be transferable in the private sector.) However, training and retaining security professionals is a significant problem within other sectors of the government. One of the limiting factors is the government's strict pay grades.

"The average infosec person earns about $100K. The government can play in that space," Libicki says. However, the most skillful, top-tier pros are few and therefore come at a premium -- between $200,000 to $250,000. The US government might be able to afford up to $150,000 and might be able to toss on some non-monetary benefits past that, but when the price goes above $200,000, the government cannot compete with private industry. This inability to retain the very best talent can put national security at risk.

The study does muse on the idea of boosting national cybersecurity at times when the threat is highest by drawing on reserve forces, like the National Guard and the Army Reserves, that become available when there is a crisis, but the authors think that this is a flawed idea. From the report:

    Unfortunately for most cybersecurity tasks (forensics conspicuously aside), effective cybersecurity defense requires familiarity with the systems being attacked -- something that part-time exposure does not provide very well.

Libicki adds that, if a security pro at a bank is called into service for the government, the bank is suddenly left unprotected.

So there is still a need for a higher quantity of warm bodies in infosec jobs. The RAND study states that there will be higher numbers a few years from now, because schools and universities have responded to the demand.

Nevertheless, the demand might increase.

Libicki says that, instead of just increasing the supply of security professionals, the industry should work on reducing demand. "$70 billion is spent on cybersecurity globally. If we could shift some of our money to making sure our software had fewer holes in it," instead of plugging those holes later, enterprises and national security could be better managed by fewer people.

Yet the secure development lifecycle is not the only thing in the bag of tricks, he says. Secure architecture is just as important as software. He points to how the closed environment of Apple products keeps them safer than the openness of Android products and how sandboxing makes Google Chrome more secure than Firefox.

"I would make a wild guess that one out of every 10 people who could be a great cybersecurity professional are already doing cybersecurity," Libicki says. "Maybe we need to get 15% of them instead of 10%, but I don't want to get to the point that all 10 of them are doing cybersecurity. We need those smart people doing other things, too."

Other recommendations made by RAND include:

    More active waiving of civil service rules that impede hiring talented cybersecurity professionals, maintaining government hiring of cybersecurity professionals even through adverse events such as sequestrations, funding software licenses and related equipment for educational programs, refining tests to identify candidates likely to succeed in cybersecurity careers, and, in the longer run, developing methods to attract women into the cybersecurity profession.
    But, in general, we support the use of market forces (and preexisting government programs) to address the strong demand for cybersecurity professionals in the longer run.

The full report can be found at rand.org.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/20/2014 | 6:55:54 AM
Re: A Sensible Report - Missing Something?
There will always be a growing demand for skilled profiles ... hackers and companies, is a marriage that is becoming a significant need
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/19/2014 | 9:45:20 AM
Re: A Sensible Report - Missing Something?
Agreed, some of the "hackers" are very skilled and in the right circumstances can make a talented member of any security team as long as they have turned from their criminal ways. The knowledge they can share can be very useful to avoiding future attacks. 
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/18/2014 | 4:02:21 PM
A Sensible Report - Missing Something?
I hadn't read this report and immediately downloaded it after this posting.  I wish I could respond to every point, because they are good ones and paint a great picture of where cybersecurity is right now.  My interest in cyber security began in 1996, but I've never worked under a security title.  Rand rightly notes that folks like us are valuable both under and outside the CIS umbrella.

That said, I still think there is an untapped resource pool out there, and it's one that understandably is tough to figure out.  Some companies and the government do this, which is recruit cyber criminals to work for them, sometimes with the benefit of amnesty (if working for the government) or other perks like promise of career advancement that keep the recruits "honest". 

There are many talented and well-meaning hackers out there with criminal records.  Times change, people change.  And in many cases, it is this pool you want to pull from, and not the book-learned pool.  The pool of cyber criminals and hacktivists (keep in mind, having a record doesn't always equate to criminal intent; hacktivists are often arrested and they are good people trying to make a difference) hosts intelligent and well-seasoned hackers who have learned and executed skills one may never learn in college or trade schools.

Excellent overview of a solid report, otherwise - can't wait to see the follow-ups. 

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1556
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.

CVE-2014-2008
Published: 2014-09-12
SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.

CVE-2014-2009
Published: 2014-09-12
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.

CVE-2014-4735
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in MyWebSQL 3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the table parameter to index.php.

CVE-2014-5259
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in cattranslate.php in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant