Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/4/2019
10:30 AM
Andy Ellis
Andy Ellis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Cyber Skills Shortage?

Employers can solve the skills gap by first recognizing that there isn't an archetypal "cybersecurity job" in the same way that there isn't an archetypal "automotive job." Here's how.

It feels like every day, there's another article citing the "cybersecurity skills shortage" as an obstacle to filling needed security jobs for the next decade. I disagree. There isn't a significant skills gap. There is a market mismatch. Most employers aren't looking at the people who are actually available; they toss up their hands, credit the skills shortage, and move on. But what's really going on?

First off, the idea of cybersecurity skills is a pretty one-dimensional view of the landscape of what the modern worker needs to bring to the table. Sometimes, it evokes the image of a black-hoodied hacker who can break applications; or maybe the security operations center (SOC) analyst watching alerts from the application security tool that monitors that application.

Even these two workers have skills that aren't really parallel. A hacker could be seen as just a quality assurance engineer, testing the negative space of an application (what it shouldn't do), while the SOC analyst is an operator/incident manager, looking for anomalous operations and following time-tested investigative steps to understand what's happening. So, how did we get to a belief in an insurmountable skills gap?

I suspect we glorified the polymaths of the industry: These are the security architects who can build complex software, break applications, understand distributed systems, manage complex organizations, reason about new and novel situations on the fly, and then cogently discuss them with executives and press.

That starts our hunt:

  • Employers look for candidates from top-tier universities who have enough experience to demonstrate competence, and target recruiting efforts around those individuals.
  • We complicate this in the US with incentives from different labor policies. We encode specific requirements for a position around degrees and years of experience. Companies limit their flexibility partly to comply with the "objective tests" standard for nondiscrimination and also to support visa-eligibility for technical staff.
  • Even if a talent acquisition team will be flexible on published requirements, it may be too late for many candidates, especially diverse ones. The confidence gap suggests that we'll dissuade more women than men, and likely minorities as well. We're choking off our pipeline before we even get started.

Bridging the Gap
Employers can solve their skills gap by recognizing, first and foremost, that there isn't an archetypal "cybersecurity job" in the same way there isn't an archetypal "automotive job." Think about cars for a moment. There are diverse jobs, from mechanics to engineers to drivers to sales to adjusters to washers to fleet managers. And probably dozens more I'm not thinking of. That's what the cybersecurity career field looks like.

We have hackers and analysts, certainly, but we also have program managers, educators, librarians, safety engineers, software engineers, architects, sales engineers, data scientists, finance officers, marketers, people managers, journalists, and even executives.

There isn't one cybersecurity skill set across that group, nor is there only one way into the career field. So, stop looking in only one pipeline. You can create several pipelines, and focus on developing talent, which is something you should be doing with all of your staff anyway.

Internships
Probably the most obvious place to start is through your internship program. An internship program is just a way to find candidates, but it isn't the end of talent acquisition. Internships are just the start. Too often, companies hire interns, and then effectively abandon them as entry-level workers. Considering the resources invested in recruiting through interns, post-hire programs designed to advance and accelerate their skills careers seem prudent.

We follow up internships in Akamai's infosec team with an extended mentorship through our Architect Studio, where our newly hired researchers get support for several years, developing the skills needed to contribute successfully as complex-system architects. Some of our staff work directly for the Studio, with assignments on projects that help them grow and develop new skills with success. Some staff work in other teams, but collaborate in development activities alongside the Studio. The goal is to create scaffolding around high-potential junior employees, with an eye to getting them out of junior roles as quickly as they are able to develop.

Technical Reskilling
An Akamai program I'm especially pleased with is our Akamai Technical Academy. This program takes candidates who haven't necessarily gotten the "right" degree, entered a different career field, or have taken time out from the workforce. It's a six-month classroom-based program, where incoming staff learn the bedrock skills to enter into a six-month placement contract with an Akamai team, after which we usually hire them to a full-time job.

For infosec jobs, we don't run a separate technical academy. We identify candidates in the core cohorts for quality assurance engineers, program managers, or operators, who look like they'd be good fits for us (often, by hearing them ask just the right number of hard questions), and bring them into a security job.

Insertion Jobs
Sometimes, we just hire right out of other career fields. Most cybersecurity jobs aren't entry-level positions. They're midcareer positions, requiring skill and competence in non-security areas. All too often, we promote cybersecurity staff into these jobs, taking them away from work they might be good at, and assigning them to areas where they have less experience. A better approach is to find career fields that already have the skills you really need.

The heart of a security compliance program, for instance, is a library of documentation, so we've hired librarians. Our threat research is a set of publications, so we hire journalists. Our risk governance activities are wide-scale safety programs, so we hire engineers with backgrounds in safety and logistics. Then we support these folks with on-the-job training and experience in the cybersecurity essentials to succeed.

In reality, almost all hires are "insertion" jobs, because they're coming from a different environment to yours. Surrounding all of your staff with good scaffolding to help them make the adjustment to your environment and to a new set of work duties is going to maximize the benefits for everyone. And it's going to give you access to a wider, deeper, and more diverse talent pool.

And that's how you close the cybersecurity skills gap.

Related Content:

Andy Ellis is Akamai's chief security officer and his mission is "making the Internet suck less." Governing security, compliance, and safety for the planetary-scale cloud platform since 2000, he has designed many of its security products. Andy has also guided Akamai's IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bwilkes8@gmail.com
50%
50%
[email protected],
User Rank: Strategist
6/19/2019 | 12:07:30 PM
Re: What Cyber Skills Shortage
Andy, beautifully written, thank you.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/4/2019 | 1:47:40 PM
Agree on many points
I wandered into cyber security from a self-employed managed services consultant for small business - server build, workstation and user support, backups ( I am good at that) and such - Malwarebytes was my scan platform of choice, as it is today.  My employment new manager thought I could learn alot of and i did so this is a classic insertion career choice and damn glad to have made it.  And it is too big of a field for any one CIISP (which I am not) to know - damn complex and many variant avenues.  As is true in all of IT anyway.  In sum total there may be a shortage but only about pegs fitting into the right slots. 
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
CVE-2019-10134
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
CVE-2019-10154
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
CVE-2019-9039
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
CVE-2018-20846
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).