Analytics
2/21/2014
10:39 AM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%
Repost This

Solving The Security Workforce Shortage

To solve the skills shortage, the industry will need to attract a wider group of people and create an entirely new sort of security professional

Companies looking for more security staff aren't going to find them -- they're going to have to make them.

The good news for security professionals is that security is a growth industry, with plenty of jobs right now. The pay is good and the competition is slim. The bad news is that, in the absence of capable colleagues, security staff are hideously overworked. The job is secure, but only if you can survive it.

RSA Conference 2014
Click here for more articles about the RSA Conference.

In recent years, CISOs have succeeded in getting more boardroom buy-in for security tools and staff. According to (ISC)2's most recent Global Information Security Workforce Study, two-thirds of C-level managers believe their security departments are too small. Employers are interested in expanding their security staff, but they can't find people to fill the positions.

According to the study, the most sought-after quality is a broad knowledge of security -- more of a strategic understanding than technical know-how -- followed by certifications. This is a tricky combination. Individual technical certifications don't provide a broad understanding of security strategy, and CISSP certifications are only given to people who already have five years of experience working as a security professional.

"There really aren't many entry-level positions in security in the same way there are in other industries," says Julie Peeler, head of the (ISC)2 Foundation. "What we really need is people who have experience beyond the one piece of technology. More than just a Cisco server, they need to know how servers work, and how servers link to each other. They need to understand the strategy and engineering behind a server. They don't make those in college."

Peeler says that the entire security industry is moving away from the super-techie with the IT degree.

"Because of the rise of the security analyst -- someone who can take a lot of disparate information and cull the truth out of it -- companies are looking at people with liberal arts backgrounds -- necessarily non-technical backgrounds," says Peeler. "A lot of these analytical skills are hard to teach."

The trouble then is, if the people we want in IT jobs do not have IT backgrounds, how can we coax them to apply?

The first trouble is awareness. As Peeler says, nobody comes to the third-grade class on career day and tells kids what it's like to be a security pro.

"Even when some people are aware of the industry," adds Peeler, "it looks really hard and really complicated, so I think there's a barrier to overcome there. It's not, in fact, rocket science."

Therefore, says Peeler, the security industry needs to do more to connect with children in primary and secondary school, as well as expand partnerships with universities. In addition to providing more mentoring, internships, and apprenticeships, the security industry needs to work with universities to create curricula that are nimble enough to respond to a rapidly changing industry.

In addition to attracting more non-techies, it needs to attract more women. Currently only 11 percent of the security workforce consists of women.

"If we doubled the number of women in security tomorrow, it would eliminate the shortage for a full year," said Peeler. "It's not just a cultural issue. It's an economic issue."

(ISC)2 is in the process of creating a Women in Security initiative to address this problem, and Peeler is doing a session about this at the RSA conference in San Francisco next week.

Although the security skills shortage is a global problem, some countries are having more success than others. Ireland, for example, has a thriving security sector that's adding jobs all the time.

"Ireland's core strength is that you can get people at a reasonable price in a reasonable time frame. There's an availability of talent, because it's a good place to live, so people are willing to relocate," says Stephen Brennan, Board of Directors, AdaptiveMobile, and former VP of Symantec Research Labs.

In addition to being a nice place to live, Ireland is particularly well-suited to drawing American businesses and European workers because it is the only English-speaking country in Europe that uses the Euro and it's located with the time zone that's nearest to the U.S. The European governments have also lowered barriers to entry, making it quick and easy for workers from Eastern Europe to take jobs in Ireland.

Nevertheless, it was a slow process that took years of investment. McAfee and Symantec opened operations in Ireland decades ago, and now there are major security clusters in Dublin and Cork that include a variety of security companies. According to Symantec, the country's security sector employs more than 6,000 people. Symantec, FireEye, McAfee, and Mandiant created more than 700 jobs in Ireland in the last year alone.

If the rest of the world is going to solve its security skills shortage it will need to create similar clusters in other parts of the world.

Have other ideas about how the security community do to attract new talent? Let us know in the comments below. And if you're going to the RSA conference next week, check out the sessions in the Professional Development track.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Sara Peters is contributing editor to Dark Reading and editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lutera77
50%
50%
Lutera77,
User Rank: Apprentice
3/19/2014 | 1:04:31 AM
re: Solving The Security Workforce Shortage
@ubm_techweb_disqus_sso_-ae164aab1ecb02b2dc74be3a06f28f7c:disqus - what I list in a job requirement is the ideal candidate. If you don't meet all of the requirements, you should craft your response in such a manner that it convinces the recruiter and me you can do the job. What is underlying your comment is that in many cases, recruiters are generally not adding the necessary value to the process. I agree that this is a problem for some organizations.

@ubm_techweb_disqus_sso_-0480d4a7522709036363932f5b73339c:disqus - I've been at cybersecurity in many different sectors for a long time (20+ yrs). In the recent past I used to see non-techies go into threat intelligence, policy, and strategy; the latter two _generally_ only if you have an advanced degree from a prestigious university. In the commercial sector, threat intel weenies produced interesting but generally not actionable reporting, so we started to use techies and trained them in intel so they can produce actionable threat reporting & indicators (it's hard to connect the dots if you don't understand the rules of the environment). Fwiw, neither my colleagues I speak with nor I have had generally positive experiences with candidates who have cybersecurity degrees, advanced or otherwise. Personally, I generally hire based on references. If I do take a chance, I generally look for at least a minor in EE/Computer Engineering/ComSci from a top 50 program and some experience (~2-3 yrs) as network/systems engineer or low-level software engineer. The best people I've taken a chance on have had a minor in one of those fields and a major in the arts/humanities. I admit, my criteria is generally narrow and I may miss qualified candidates. However, I can't spend the time required to find the diamond in the rough ... and neither can my recruiters.
Lutera77
50%
50%
Lutera77,
User Rank: Apprentice
3/19/2014 | 12:36:39 AM
re: Solving The Security Workforce Shortage
Sara - I think you should evaluate underlying assumptions that you used in developing the title for your article. If you treat the labor market as an economics problem, there really is no such thing as a shortage of supply; only a shortage at the price-point that you're willing to pay. Given the level of effort required to become & remain highly skilled in this domain, it may cost more to entice the types of people who _can_ excel into investing the effort to acquire & maintain the necessary skills.
Sara Peters
50%
50%
Sara Peters,
User Rank: Apprentice
3/4/2014 | 9:08:35 PM
re: Solving The Security Workforce Shortage
@byarbrough I completely agree with you. The experts I spoke to see things one way, but they're not the people who are actually doing the hiring. I think that the people conducting the research can be quite insightful, but they can't make a difference on their own. They can ask a bunch of questions and get a good idea for what the hiring managers really need and want, and they can point to good candidates and say "that's what you need and want," but they can't MAKE the hiring managers change their ways. It's like really unsuccessful matchmaking -- a person thinks they know what they want in a mate, and they keep going out with the same kind of person over and over again, and don't understand why it never works out.
Sara Peters
50%
50%
Sara Peters,
User Rank: Apprentice
3/4/2014 | 9:02:24 PM
re: Solving The Security Workforce Shortage
@jdeerman750 Ageism is a very real problem in a lot of fields, of course, but why do you think it exists in security? (I agree that it does.) Companies seem to be willing to spend the money on security people, so they're not squeezing out the senior professionals based on salary. They seem to be having a hard time finding experienced people, so they're not passing on seasoned professionals based on the fact that there is such a huge number of job applicants. And the days of people staying with a company for 20 years and retiring at age 63 are gone -- people stay for 5 years, and retire when they're 70, if they're lucky. So the argument of "well we don't want to hire someone who's 50, because they'll be retiring soon" doesn't hold water either.

Is it simply that people perceive security as a young person's game?
Sara Peters
50%
50%
Sara Peters,
User Rank: Apprentice
3/4/2014 | 8:56:11 PM
re: Solving The Security Workforce Shortage
@Old Bull Thanks so much for your comment, because you're confirming for me what I'm seeing too -- and not just in the security field. So many employers don't know what they should be looking for, first of all. And then even when they DO know what they're looking for... they still don't look for it. Their actions don't fit with their words. It boggles my mind. If there really is a shortage, then why haven't employers started opening up their minds a bit?

It's the same in many places -- employers asking for the moon and stars from every applicant -- but in lots of fields that's because there are TOO MANY people looking for work. It's unfortunate, but understandable. In security, where there are apparently jobs remaining open for such a long time, this approach is not understandable at all.
byarbrough2008
50%
50%
byarbrough2008,
User Rank: Apprentice
3/4/2014 | 6:57:48 PM
re: Solving The Security Workforce Shortage
Sara - I, like many others read this article with much interest. While I dare say all related articles are off the mark in terms of reality, I will say that you are the closest to the mark so far.

From my perspective, managers are not hiring in security regardless of background unless you have demonstrated experience in the industry (beyond personal or educational experience) and hold 1-M certifications, chiefly, the CISSP.

It is not so much an age issue, gender issue, or even an degree concentration issue as much as it is an organizational/management issue. Until the gap between entry through experienced positions has been bridged, there will continue to be shortages. Until organizations and management embrace cross-functional skills and a willingness to work with experienced professionals whom may need a little coaching but could excel if given the chance, the shortage will only become worse.
Old Bull
50%
50%
Old Bull,
User Rank: Apprentice
2/25/2014 | 7:32:51 PM
re: Solving The Security Workforce Shortage
The "ageism" in IT-related positions is legendary yet it seems to me that those seasoned peeps are the ones who should be the *most* sought after. The EEOC doesn't seem to have much interest in age discrimination cases.

So, I'm not the only one who questions this "need for cybersecurity experts" when there are so many willing and able. Something about it just doesn't add up.
Old Bull
50%
50%
Old Bull,
User Rank: Apprentice
2/25/2014 | 7:16:47 PM
re: Solving The Security Workforce Shortage
@ Sara, it was with great interest I read this article because I fit this description of the Gǣnon-techieGǥ security applicant. I have psychology and business degrees, and twenty-plus years of seasoned business experience. Last year, I completed an M.S. degree in cybersecurity (no certs yet) and since have applied to approximately 75 cybersecurity firms and businesses advertising for cybersecurity positions even though I may not have the exact qualifications they stipulate. (Does anyone?) I haven't had the first interview or the first query of interest, even after listing my information with all of the IT job boards.

The reason I went back to school for the graduate degree was so much talk of a shortage of people needed in cybersecurity, going back even for several years. However, the job ads I've seen put such qualifications on job candidates that they won't fill many (or most?) of these positions for a decade, until those they can groom early on from secondary schools are finished with school. Qualifications such as "must have an active security clearance in place", "minimum 5+ years experience" in this and that, "CISSP required", and so on. There is no interest in security newbies nor is there a desire to invest in developing anyone though the need for people is reportedly there.

So, coming from the trenches, I'm just not seeing this hunt for the non-techie security analyst. It just isn't happening. Please inform as to which companies are interested in us non-techies.

R.S.
jdeerman750
50%
50%
jdeerman750,
User Rank: Apprentice
2/24/2014 | 8:18:52 PM
re: Solving The Security Workforce Shortage
It's also interesting that the discussion is always about the need for new trained security professionals but I have yet to see a discussion about keeping the older security professionals in the workforce. I know first hand as a senior security professional (that's someone in their late 50's) with over 20 years of experience in the security field, that companies complain about shortages but will not even consider a senior professional. I hear a lot about shortages of security professional but the writers should add a caveat to these stories, "of workers under 50".
Guest
50%
50%
Guest,
User Rank: Apprentice
2/22/2014 | 12:08:37 AM
re: Solving The Security Workforce Shortage
I did not realize that detecting and battling the exertions of the most technically advanced criminal forces in the history of humankind, boils down to gender, sociability and emotional intelligence. Thank you for explaining the issue in logical, critically thought out terms.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web