Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Andy Ellis
Andy Ellis
Connect Directly
E-Mail vvv

What Cyber Skills Shortage?

Employers can solve the skills gap by first recognizing that there isn't an archetypal "cybersecurity job" in the same way that there isn't an archetypal "automotive job." Here's how.

It feels like every day, there's another article citing the "cybersecurity skills shortage" as an obstacle to filling needed security jobs for the next decade. I disagree. There isn't a significant skills gap. There is a market mismatch. Most employers aren't looking at the people who are actually available; they toss up their hands, credit the skills shortage, and move on. But what's really going on?

First off, the idea of cybersecurity skills is a pretty one-dimensional view of the landscape of what the modern worker needs to bring to the table. Sometimes, it evokes the image of a black-hoodied hacker who can break applications; or maybe the security operations center (SOC) analyst watching alerts from the application security tool that monitors that application.

Even these two workers have skills that aren't really parallel. A hacker could be seen as just a quality assurance engineer, testing the negative space of an application (what it shouldn't do), while the SOC analyst is an operator/incident manager, looking for anomalous operations and following time-tested investigative steps to understand what's happening. So, how did we get to a belief in an insurmountable skills gap?

I suspect we glorified the polymaths of the industry: These are the security architects who can build complex software, break applications, understand distributed systems, manage complex organizations, reason about new and novel situations on the fly, and then cogently discuss them with executives and press.

That starts our hunt:

  • Employers look for candidates from top-tier universities who have enough experience to demonstrate competence, and target recruiting efforts around those individuals.
  • We complicate this in the US with incentives from different labor policies. We encode specific requirements for a position around degrees and years of experience. Companies limit their flexibility partly to comply with the "objective tests" standard for nondiscrimination and also to support visa-eligibility for technical staff.
  • Even if a talent acquisition team will be flexible on published requirements, it may be too late for many candidates, especially diverse ones. The confidence gap suggests that we'll dissuade more women than men, and likely minorities as well. We're choking off our pipeline before we even get started.

Bridging the Gap
Employers can solve their skills gap by recognizing, first and foremost, that there isn't an archetypal "cybersecurity job" in the same way there isn't an archetypal "automotive job." Think about cars for a moment. There are diverse jobs, from mechanics to engineers to drivers to sales to adjusters to washers to fleet managers. And probably dozens more I'm not thinking of. That's what the cybersecurity career field looks like.

We have hackers and analysts, certainly, but we also have program managers, educators, librarians, safety engineers, software engineers, architects, sales engineers, data scientists, finance officers, marketers, people managers, journalists, and even executives.

There isn't one cybersecurity skill set across that group, nor is there only one way into the career field. So, stop looking in only one pipeline. You can create several pipelines, and focus on developing talent, which is something you should be doing with all of your staff anyway.

Probably the most obvious place to start is through your internship program. An internship program is just a way to find candidates, but it isn't the end of talent acquisition. Internships are just the start. Too often, companies hire interns, and then effectively abandon them as entry-level workers. Considering the resources invested in recruiting through interns, post-hire programs designed to advance and accelerate their skills careers seem prudent.

We follow up internships in Akamai's infosec team with an extended mentorship through our Architect Studio, where our newly hired researchers get support for several years, developing the skills needed to contribute successfully as complex-system architects. Some of our staff work directly for the Studio, with assignments on projects that help them grow and develop new skills with success. Some staff work in other teams, but collaborate in development activities alongside the Studio. The goal is to create scaffolding around high-potential junior employees, with an eye to getting them out of junior roles as quickly as they are able to develop.

Technical Reskilling
An Akamai program I'm especially pleased with is our Akamai Technical Academy. This program takes candidates who haven't necessarily gotten the "right" degree, entered a different career field, or have taken time out from the workforce. It's a six-month classroom-based program, where incoming staff learn the bedrock skills to enter into a six-month placement contract with an Akamai team, after which we usually hire them to a full-time job.

For infosec jobs, we don't run a separate technical academy. We identify candidates in the core cohorts for quality assurance engineers, program managers, or operators, who look like they'd be good fits for us (often, by hearing them ask just the right number of hard questions), and bring them into a security job.

Insertion Jobs
Sometimes, we just hire right out of other career fields. Most cybersecurity jobs aren't entry-level positions. They're midcareer positions, requiring skill and competence in non-security areas. All too often, we promote cybersecurity staff into these jobs, taking them away from work they might be good at, and assigning them to areas where they have less experience. A better approach is to find career fields that already have the skills you really need.

The heart of a security compliance program, for instance, is a library of documentation, so we've hired librarians. Our threat research is a set of publications, so we hire journalists. Our risk governance activities are wide-scale safety programs, so we hire engineers with backgrounds in safety and logistics. Then we support these folks with on-the-job training and experience in the cybersecurity essentials to succeed.

In reality, almost all hires are "insertion" jobs, because they're coming from a different environment to yours. Surrounding all of your staff with good scaffolding to help them make the adjustment to your environment and to a new set of work duties is going to maximize the benefits for everyone. And it's going to give you access to a wider, deeper, and more diverse talent pool.

And that's how you close the cybersecurity skills gap.

Related Content:

Andy Ellis is Akamai's chief security officer and his mission is "making the Internet suck less." Governing security, compliance, and safety for the planetary-scale cloud platform since 2000, he has designed many of its security products. Andy has also guided Akamai's IT ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[email protected],
User Rank: Moderator
6/19/2019 | 12:07:30 PM
Re: What Cyber Skills Shortage
Andy, beautifully written, thank you.
User Rank: Ninja
6/4/2019 | 1:47:40 PM
Agree on many points
I wandered into cyber security from a self-employed managed services consultant for small business - server build, workstation and user support, backups ( I am good at that) and such - Malwarebytes was my scan platform of choice, as it is today.  My employment new manager thought I could learn alot of and i did so this is a classic insertion career choice and damn glad to have made it.  And it is too big of a field for any one CIISP (which I am not) to know - damn complex and many variant avenues.  As is true in all of IT anyway.  In sum total there may be a shortage but only about pegs fitting into the right slots. 
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...