Dark Reading Radio

The Cyber Skills Shortage
Date / Time: Wednesday, October 19, 2016, 1:00 p.m. New York / 10:00 a.m. San Francisco
Overview:
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.


The audio player will load automatically when the radio show audio begins. Some corporate networks block the sort of streaming audio content used by this player. Please make sure you have the latest version of Adobe Flash for your Internet browser via Adobe's web site. If the player loads but you are not able to hear the live audio, you may still be able to hear the archived audio after the live program begins by returning to this page. Please try refreshing your browser a few times if you still cannot hear the audio. More Troubleshooting
Live Chat
You must login to participate in this chat. Please login.

Wow--we are already at the top of the hour. So much great conversation and insight from our guests, Carson Sweet and Rodney Petersen. Thank you both so much for joining Dark Reading Radio today. And thank you to everyone who came today and joined the online chat. 

Thanks again to the attendees, Kelly, Rodney, and Dark Reading for hosting the discussion.

Apprentice

I think training and certification is ripe for both EXPANSION and IMPROVEMENT.  The reason that there is such a robust training ecosystem is because a college education tends to focus too narrowly on "knowledge" and leaves "skills" development to the employer or training organization.  How do you know that a college degree means the student is prepared to do the job?  (Some professions are better than others - e.g., nursing, teaching, etc. - at putting students into job situations where experiential learning can occur and their qualifications can be observed.)  How do you know that a certification means the worker is prepared to do the job?  ANSWER:  Alignment fo the NICE Workforce Framework and Performance-Based Assessments.

Apprentice

DarkReadingTim... it's a combination of things. Education, certifications, references (especially blind references), and having a candidate do actual problem cases are all part of what we lean on to measure security talent. 

Apprentice

Good points, @Carson. 

Signed, the English Major :-)

Kelly, the question of "can I hire a linguist to be a security FTE" is a question of (n) degrees of seperation and how much time you have to train them. For example, many great security engineers I know were previously career musicians. There's an affinity in the way their minds work. However, you're probably starting from near-zero in terms of knowledge and skills.

On the other hand, the security skills set is changing dramatically. Automation engineers, data scientists and linguists are in hot demand, because those are now the needed skills. It used to be about TCP/IP and networks, now it's more of a data game.

Apprentice

If we don't use credentials like CISSP, how do we measure the level of skill/experience that the applicant has? Do we test prospective employees onsite?  Or is it all about your references?

Strategist

I like that, @Rodney: Cyber=Cool

I think we have to make cybersecurity careers more appealing and interesting.  That is one of the challenges of cybersecurity competitions - although extremely beneficial they can tend to be unwelcoming to females and non-technical types.  The NICE Workforce Framework outlines 7 broad categories of work, 31 specialty areas, and underscores the diversity of the cybersecurity field.  However, teamwork, communication, and other soft skills are extremely important to cybersecurity so we need to make cybersecurity sound like the exciting career that it is and not a field that is only populated by "geeks" or "nerds" (which is the popular impresssion).  We need to make cybersecurity careers COOL!

Apprentice

Sara, I think they are. Rodney made great points about skills training, not just education. They're both really important... you can't be well-rounded without a solid educational foundation, but you can't stay up-to-date without hard skills training.

Apprentice

One thing the DoD study found that I find interesting is that it's not necessarily the technical skills that are needed for today's cybersecurity jobs. Should organizations be recruiting college students from a wide variety of areas—psychology, linguistics, communications, etc.? <--following this theme

@Rodney @Carson  You're talkin' my language!!! Hiring based on based on skills, not traditional skills. Learning on the job, and benefiting from knowledge of the enterprise. I hope more people start thinking like you.  

Author

Great question about determing the quality of a college or university offering a cybersecurity.  I would start by recommending that you consider a DHS/NSA Center of Academic Excellence in Cybersecurity (search cae community dot org) since they are designated based on meeting the CAE criteria and knowledge units.  There are many community colleges who are also CAE schools and we are working to improve the prospects for transferring from a 2Y to a 4Y school.  Whether a diploma or a certification, NICE also is an advocate for Performance-Based Assessments which is why we support a grant for the creation of the NICE Challenge Project - an online tool for developing cybersecurity knowledge and skills and asserting comptency.

Apprentice

@Linda  Thanks for the reference!

Author

@SoluFoodTo-Go, RE: how valuable will your degree be... there are some interesting ways to go about this. One is to get connected security professionals in your area (e.g. Meetups) and ask. If you can manage to lock into someone's time as a mentor, they can give you great guidance also. And you can always augment your skills with your own additional education... for example, take your own SANS, CSA, etc. courses. You will get out of your education what you put into it.

At the end of the day, if you have solid knowledge and skills, it doesn't matter where your degree comes from. I never finished undergrad, for that matter. It's about the content, not the source.

 

Apprentice

I think the apprenticeship model is spot-on, btw.

The CISSP also was most valued cert by security pros in a recent ESG-ISSA report, which found that some 56% of security pros hold a CISSP, and most say it was "valuable" both for getting hired (61%) and for on-the-job know-how (55%).

The NICE Conference in Kansas City on November 1st will feature an opening keynote by Byron Auguste on "Rewiring the Labor Market".  His premise is that employers need to hire based on skills, not traditional credentials, and should also focus on individuals with the ability to learn on the job.  That is why NICE is so interested in apprenticeships, cooperative education, and other "earn as you learn" programs.

Apprentice

Sara - RE: growing security skills from within, I believe in this approach whole-heartedly. Many companies do this. It's benefitial not only in terms of gaining cyber security skills, but also in gaining cyber security skills who already know the enterprise.  My experience has also been that some of the strongest security technologists out there were non-security technologists first. It provides a real-world, practical base to learn from.

Apprentice

Another resource for a cybersecurity overview has just been published by Dr. Ed Amorosa of TAG Cyber LLC.  He very recently published an annual overview Practical Handbook and Reference Guide for the Working Cyber Security Professional The TAG Cyber 50 Enterprise Security Controls as well as a volume of luminary interviews and a third volume listing all the various vendors people should get to know.   @Sara - Ed is also doing a course for over 100 companies that covers a variety of cybersecurity topics over a 25 week period.

 

Apprentice

That IS a good question

Author

HERE:

I'm in the group of employees with a degree and working in IT. For-profit schools have been in the news lately for their negative practices.  How are prospective students to know if the education they are getting is useful or will be respected in industry?

I see a great question from @SoulFoodTo-Go:

Robert D, the CCNA program is going to be very vendor-specific. It's also going to focus almost strictly on the network level of the I.T. delivery stack... and there's so much more. If you're looking for a broader survey of the security field, you might consider looking into a CISSP program or SANS education, and then see what specialization suits you... or maybe you'll decide to become a security generalist. But my suggestion is always to go broad then dial it in.

Apprentice

Ah, what are the "entry-level" positions.  GREAT QUESTION!  My experience has shown that the greatest demand is for mid-level jobs, typically requiring bachelors degree, certification(s), and experience.  However, the Cybersecurity Jobs Heat Map to be launched on November 1st will also include a Career Pathways Portal that will help us better answer the question of "what entry level jobs are avaiable".  This is a critically important issue for NICE as we believe that individuals with the right skills, including an Associates Degree, are capable of fulfilling many cybersecurity work roles.  The identification of "career pathways" is an important next step.

Apprentice

Taking this from the opposite angle... are employers training up their internal employees and/or willing to hire and train people with an interest in security, even if they don't have all the experience? Or are they only looking for experienced people? Because with a shortage like this, it seems like we'll never fill it if we're just fighting over the same few people, instead of creating new ones -- including those who may already be mid-career?

Author

Kelly, you're already doing some of that good work. :)   

Awareness through media is big. Other area where we've tapped into unrealized talent have been via methods like online "hackathons" and even something as simple as a job fair. But in any case the key requirement is to have programs in place to nuture and round out the existing talent a person might bring in... these skills have to be developed and maintained.

Apprentice

So many questions.  So little time.  I especially line the one:  will the shortage problem ever stop?  I am inclined so answer "yes" and "no".  I think there are some ways to reduce the need for "cybersecurity workforce" if we have more secure products and infrastructure and can focus less on incident response.  However, the NICE Workforce Framework is moving towards a focus on Work Roles and that means that cybersecurity is (almost) everyone's responsibility.  So whether you "securely provision" or "oversee and govern" in the digital economy you will need to have the corresponding knowledge, skills, and abilities in order to succeed.

 

Apprentice

I'm in the group of employees with a degree and working in IT. For-profit schools have been in the news lately for their negative practices.  How are prospective students to know if the education they are getting is useful or will be respected in industry?

Apprentice

Wow--lots of great information on opportunities for training and ed in security. @Carson and @Rodney, what is the best way to get the word out about some of these to folks who are not as familiar with security/the industry and could be potential untapped talent?

Thanks to the attendees for joining. Some good questions appearing below..

Apprentice

Robert, Yes CCNA that is something I too and exploring even though it is manufacturer specific.

 

Apprentice

Estella, there are many pathways that I have discovered. Coming from an IT background some of the core knowledge pathways include fundamentals in Network Administrator/Engineer, System Administrator, Web Administrator/Developer, IT Technical Support and DB Administrator

 

Apprentice

Has anyone taken a look at the new CCNA CyberOps certification from Cisco? Does anyone think the certification will open doors for people who have some IT experience, but little exposure to cyber secuirty?

Apprentice

I don't think there's any question we need more education and training at the entry level to get more security pros into the industry. But many of the technologies and threats we're seeing in large enterprises require a very skilled analyst with multiple years of experience. How will we get these new people experienced enough that they can perform these very sophisticated functions?

 

Strategist

Yes, we need to make computer sci, cybersecurity less intimidating to the public. The industry is missing a lot of talent. These are good jobs, that pay well. But too many people think it's something that is too far over their heads...

Strategist

What do you recommend for an IT Technician to transition into cybersecurity?

 

Apprentice

Agree with this! I wish they required comp sci when I was a student - for us, it was an elective. Security should be a must for all students, of any major.

Author

Great question @abernhar!

Author

It does seem like there should be a bit of both -- I had to take a Comp Sci class in order to graduate with a degree in journalism.   ???  Seems reasonable to have a 101 security class AS A FOUNDATION class, not an elective, and then reinforce them in all the other cases throughout everything else. 

Author

What are the job opportunities for an entry level Security+ certified individual today (sans Univercity degree) and in the near future?

Apprentice

@Sara Certainly doesn't seem so! It's such a fascinating career. It's mind-bending that more people don't gravitate towards it. But for "regular folks" it is just too intimidating!

Strategist

First, second, third, millionth question: do you think we will EVER stop having this shortage problem? 

:(

 

Author

Excited to hear about new developments in the infosec jobs scene!

Strategist

We're glad everyone is here today! The player will appear above this window at the top of the hour -- if you don't see it, then please refresh your browser window (and make sure you're using a browser that supports Flash).

Author

Hi KJH - I'm looking forward to it too!

Apprentice

I'm really looking forward to our show today!

Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7399
PUBLISHED: 2019-02-17
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for &quot;Terms of Use&quot; and Privacy pages.
CVE-2019-8392
PUBLISHED: 2019-02-17
An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead.
CVE-2019-8394
PUBLISHED: 2019-02-17
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2019-8395
PUBLISHED: 2019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
CVE-2019-8389
PUBLISHED: 2019-02-17
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) ...