Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Andy Ellis
Andy Ellis
Connect Directly
E-Mail vvv

What Cyber Skills Shortage?

Employers can solve the skills gap by first recognizing that there isn't an archetypal "cybersecurity job" in the same way that there isn't an archetypal "automotive job." Here's how.

It feels like every day, there's another article citing the "cybersecurity skills shortage" as an obstacle to filling needed security jobs for the next decade. I disagree. There isn't a significant skills gap. There is a market mismatch. Most employers aren't looking at the people who are actually available; they toss up their hands, credit the skills shortage, and move on. But what's really going on?

First off, the idea of cybersecurity skills is a pretty one-dimensional view of the landscape of what the modern worker needs to bring to the table. Sometimes, it evokes the image of a black-hoodied hacker who can break applications; or maybe the security operations center (SOC) analyst watching alerts from the application security tool that monitors that application.

Even these two workers have skills that aren't really parallel. A hacker could be seen as just a quality assurance engineer, testing the negative space of an application (what it shouldn't do), while the SOC analyst is an operator/incident manager, looking for anomalous operations and following time-tested investigative steps to understand what's happening. So, how did we get to a belief in an insurmountable skills gap?

I suspect we glorified the polymaths of the industry: These are the security architects who can build complex software, break applications, understand distributed systems, manage complex organizations, reason about new and novel situations on the fly, and then cogently discuss them with executives and press.

That starts our hunt:

  • Employers look for candidates from top-tier universities who have enough experience to demonstrate competence, and target recruiting efforts around those individuals.
  • We complicate this in the US with incentives from different labor policies. We encode specific requirements for a position around degrees and years of experience. Companies limit their flexibility partly to comply with the "objective tests" standard for nondiscrimination and also to support visa-eligibility for technical staff.
  • Even if a talent acquisition team will be flexible on published requirements, it may be too late for many candidates, especially diverse ones. The confidence gap suggests that we'll dissuade more women than men, and likely minorities as well. We're choking off our pipeline before we even get started.

Bridging the Gap
Employers can solve their skills gap by recognizing, first and foremost, that there isn't an archetypal "cybersecurity job" in the same way there isn't an archetypal "automotive job." Think about cars for a moment. There are diverse jobs, from mechanics to engineers to drivers to sales to adjusters to washers to fleet managers. And probably dozens more I'm not thinking of. That's what the cybersecurity career field looks like.

We have hackers and analysts, certainly, but we also have program managers, educators, librarians, safety engineers, software engineers, architects, sales engineers, data scientists, finance officers, marketers, people managers, journalists, and even executives.

There isn't one cybersecurity skill set across that group, nor is there only one way into the career field. So, stop looking in only one pipeline. You can create several pipelines, and focus on developing talent, which is something you should be doing with all of your staff anyway.

Probably the most obvious place to start is through your internship program. An internship program is just a way to find candidates, but it isn't the end of talent acquisition. Internships are just the start. Too often, companies hire interns, and then effectively abandon them as entry-level workers. Considering the resources invested in recruiting through interns, post-hire programs designed to advance and accelerate their skills careers seem prudent.

We follow up internships in Akamai's infosec team with an extended mentorship through our Architect Studio, where our newly hired researchers get support for several years, developing the skills needed to contribute successfully as complex-system architects. Some of our staff work directly for the Studio, with assignments on projects that help them grow and develop new skills with success. Some staff work in other teams, but collaborate in development activities alongside the Studio. The goal is to create scaffolding around high-potential junior employees, with an eye to getting them out of junior roles as quickly as they are able to develop.

Technical Reskilling
An Akamai program I'm especially pleased with is our Akamai Technical Academy. This program takes candidates who haven't necessarily gotten the "right" degree, entered a different career field, or have taken time out from the workforce. It's a six-month classroom-based program, where incoming staff learn the bedrock skills to enter into a six-month placement contract with an Akamai team, after which we usually hire them to a full-time job.

For infosec jobs, we don't run a separate technical academy. We identify candidates in the core cohorts for quality assurance engineers, program managers, or operators, who look like they'd be good fits for us (often, by hearing them ask just the right number of hard questions), and bring them into a security job.

Insertion Jobs
Sometimes, we just hire right out of other career fields. Most cybersecurity jobs aren't entry-level positions. They're midcareer positions, requiring skill and competence in non-security areas. All too often, we promote cybersecurity staff into these jobs, taking them away from work they might be good at, and assigning them to areas where they have less experience. A better approach is to find career fields that already have the skills you really need.

The heart of a security compliance program, for instance, is a library of documentation, so we've hired librarians. Our threat research is a set of publications, so we hire journalists. Our risk governance activities are wide-scale safety programs, so we hire engineers with backgrounds in safety and logistics. Then we support these folks with on-the-job training and experience in the cybersecurity essentials to succeed.

In reality, almost all hires are "insertion" jobs, because they're coming from a different environment to yours. Surrounding all of your staff with good scaffolding to help them make the adjustment to your environment and to a new set of work duties is going to maximize the benefits for everyone. And it's going to give you access to a wider, deeper, and more diverse talent pool.

And that's how you close the cybersecurity skills gap.

Related Content:

Andy Ellis is Akamai's chief security officer and his mission is "making the Internet suck less." Governing security, compliance, and safety for the planetary-scale cloud platform since 2000, he has designed many of its security products. Andy has also guided Akamai's IT ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[email protected],
User Rank: Moderator
6/19/2019 | 12:07:30 PM
Re: What Cyber Skills Shortage
Andy, beautifully written, thank you.
User Rank: Ninja
6/4/2019 | 1:47:40 PM
Agree on many points
I wandered into cyber security from a self-employed managed services consultant for small business - server build, workstation and user support, backups ( I am good at that) and such - Malwarebytes was my scan platform of choice, as it is today.  My employment new manager thought I could learn alot of and i did so this is a classic insertion career choice and damn glad to have made it.  And it is too big of a field for any one CIISP (which I am not) to know - damn complex and many variant avenues.  As is true in all of IT anyway.  In sum total there may be a shortage but only about pegs fitting into the right slots. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An Arbitrary File Upload in the Upload Image component in SourceCodester Car Rental Management System 1.0 allows the user to conduct remote code execution via admin/index.php?page=manage_car because .php files can be uploaded to admin/assets/uploads/ (under the web root).
PUBLISHED: 2020-10-28
The RandomGameUnit extension for MediaWiki through 1.35 was not properly escaping various title-related data. When certain varieties of games were created within MediaWiki, their names or titles could be manipulated to generate stored XSS within the RandomGameUnit extension.
PUBLISHED: 2020-10-27
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.
PUBLISHED: 2020-10-27
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Apple Music 3.4.0 for Android. A malicious application may be able to leak a user's credentials.
PUBLISHED: 2020-10-27
An access issue was addressed with improved access restrictions. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. A malicious application may be able to overwrite arbitrary files.