News & Commentary

2/28/2017
02:00 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Security Pros Can Bridge The Skills Shortage

By paying it forward, we can help address the industry's exploding need for talent.

If you feel like you’re overworked and that your security department is short-staffed, you’re probably not imagining it. Two reports were released recently, with less-than-encouraging statistics about the growing security skills shortage. Is there anything we can do to stem the tide?

ISACA’s Current Trends in Workforce Development sheds light on the problems companies are having staffing open positions. More than a quarter of enterprises find they are unable to hire the people they need, and those that are able to fill positions report that it takes more than six months to find the right applicant for the job. Almost half of those surveyed said they got fewer than ten applicants for each job listing and 64% of respondents said that not even half of those who applied were qualified for the position.

This means that there is a huge unmet need, which is causing a serious problem for businesses. In a recent study by Dimensional Research and Tripwire, only ten percent of organizations have the skills to address the full range of the most prevalent threats. Even when singling out ransomware - the threat that most organizations reported to be their biggest concern -  only 44% of respondents said they had the skills in house needed to handle the problem.

The obvious answer to the skills shortfall is to increase both the quantity and quality of applicants. But with few schools offering computer science at the K-12 level, many students are unaware of information security as a career option. Those who start computer science studies at the college level often feel discouraged, as the learning curve is steep, especially compared to peers who have had earlier learning opportunities.

Still, there are a lot of options out there where we as security professionals can help bridge the gap.

Pay It Forward: Volunteer!
While encouraging overworked people to volunteer may seem counterproductive, getting kids interested in computers and security can be a fantastic antidote to burnout. There are a lot of national groups such as TEALS, Girls Who Code, Women’s Society of Cyberjutsu, and CoderDojo as well as local STEM events, hackathons and bootcamps that are in need of expert support.

Show Them the Money: Scholarships
The cost of formal education is growing at a rapid pace, which keeps interested people from getting the skills they need to join this industry. The good news is that there are a lot of scholarships that have been set up to encourage people to pursue an education in security. Several sites, such as (ISC)², CyberWatchWest and WiCYS maintain lists of resources for students seeking scholarships and internships. Security companies' and schools’ websites also may also offer information on additional financial resources. The second annual “ESET Women in Cybersecurity Scholarship,” will be taking applications through March 15th.

Uncover Untapped Resources: Diversity
A lot has been said about the lack of diversity in the security industry. While this is problematic, it’s also represents a huge opportunity, as it points to an untapped resource for attracting new talent. National groups like Code2040 and Black Girls Code are helping to cultivate the next generation of developers.

The ISACA report highlights another source of potential new hires that the industry may be overlooking: people who have neither formal education nor professional certifications in security. If someone has other important skills for the job at hand and technical aptitude or interest in security, but lacks more traditional qualifications, they may be automatically weeded out.

Some of the brightest people that I’ve known in the security industry came to it as a departure from a very different career path. People seem to have forgotten that not all security positions require a graduate degree in computer science, and that the necessary experience can be gained on the job. By making significant changes now, we can avoid the projected shortfall of 1.8 million professionals in 2022.

Related Content:

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MozzieMan
50%
50%
MozzieMan,
User Rank: Apprentice
3/1/2017 | 9:39:26 AM
Security Pros
Many businesses are not sure what they need; pentester, ISSO, CISO, etc, etc.  Do they want someone who can write policy?  If so, that pentester might not be great at formal writing.  Businesses should invest on entry level peoples giving them the basics and from there weed out who is more of a technical/policy writer, who is the active defense cyber guru and build from the ground up. 

Many of these jobs do require computer science/programming skills but the Universities are just now coming into that but from what I can tell it's still very much cyber security/information assurance vs coding.

Only your true programmers will shell out 2500.00 or more for an ISACA cert.  I've been an ISSO for around fifteen years now and working on a Masters in a similar field and do not wish to do pentesting but can do physical security/ end user and sys admin cyber training, systems security as far as defense but it seems many businesses are wanting the all in one.  I'm sure there are a few out there but they command a much higher salary than I'm seeing advertised. 

Why not have the CISO and then branch out from there, for your policy, defense, pentest, ISSO.
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Be a unicorn, not a donkey...
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.