Cybersecurity is a fast-moving field and education has a hard time keeping up. Traditional colleges and universities are often behind the curve when it comes to cybersecurity, so how are future security engineers and CISOs learning the ropes? How will companies find them? And, when they do, how can they determine who truly has the skills they're looking for?
The demand for security talent only continues to rise. In its 2018 Cybersecurity Workforce Study, (ISC)² found the global shortage of security experts has hit 2.93 million. More than 63% of respondents report a lack of security staff; 60% say it puts them at moderate to extreme risk.
Security teams are poised to grow. In Dark Reading's survey, "Surviving the IT Security Skills Shortage," researchers learned only 45% of 400 IT and cybersecurity professionals have most of the people they need. Most (82%) planned to keep staffing the same or grow their teams.
Hiring talent takes time. A workforce study by ISACA's Cybersecurity Nexus found more than 25% of organizations take at least six months to fill priority security positions, and more than 40% received fewer than five applications for security roles. Further, 33% of organizations say it's tougher to get management approval for new security staff compared with two years ago.
When they do get approval, security leaders learn talent is incredibly hard to find. Nearly 40% of Dark Reading's respondents say there are plenty of less experienced/trained people available but the most-skilled positions are hard to fill. Thirty-five percent say there is a shortage of IT security professionals at almost every level.
The key to solving the security skills gap lies in education: training people with the right skills and giving them the experience they need to help businesses solve their problems. But what are students learning, and what should they be learning? What skills do businesses really want?
Security Syllabus: How Students Learn
Cloud security is a hot topic in education these days, says Tony Cole, CTO at Attivo Networks. (ISC)², Cybrary, and many other education platforms want to better understand the world's mass migration to cloud computing and the security implications it will bring going forward.
Incident response is another common topic in security education, as is penetration testing. An area Cole says he expected to grow more is cloud analytics, which isn't the topic of many courses. As companies look at their cloud security controls, processes, and policies, they'll need more people with those skills. "That's a huge component of moving to the cloud," Cole explains.
Like IT, programming, and other areas of tech, security is a skill best learned in practice. Nearly half of respondents in (ISC)²'s study say relevant security work experience is the most important qualification for employment, followed by knowledge of advanced security concepts (47%).
Security architecture is another important area, Cole says, and more university programs are beginning to offer it. The problem is students have little to no operational experience. "There's going to be a significant shortage for awhile until we incorporate recent grads into organizations and provide operational experience for them." One tactic could be offering internship experiences to undergraduates so they enter the workforce with real-world skills.
Cole points to a need for cybersecurity education in junior colleges and vocational programs. "We need to start at a lower level if we're going to get people interested in this," he adds.
When it comes to building their security skillsets, many students take courses at universities or colleges; some rely on conferences or online classes. Others learn skills via bug hunting. Businesses are now also getting into the trend of offering education to their employees.
"Most organizations you see today, and most I've been at, are trying to cut costs by going to online curricula," says Cole. "It's on demand, [employees] can pull it out any time."
Some institutions aim to offer real-life experience through competition. New York University's Tandon School of Engineering, for example, annually hosts a student-run cybersecurity competition dubbed CSAW. This year, its 15th running, saw 3,500 teams from more than 100 countries complete challenges designed by New York City's top ethical hackers.
"You cannot really teach about security by lecturing in a classroom," says Nasir Memon, professor in the department of computer science and engineering at NYU Tandon. "You have to understand how attackers work." High school and college students can test their hacking and defensive skills, compete against red teams or blue teams in an embedded security challenge, or show off their knowledge of security policy, applied research, and forensic analysis.
"It's a nice way to attract students to this discipline," Memon says. "Fifteen years back, security was not in people's minds." Students who compete often go on to pursue cybersecurity careers; those who don't often have a strong security foundation in software engineering or other roles.
Staffing Shortage: What Businesses Need
"There's a pretty good overlap," says Cole of the skillsets students are learning and those businesses want. Still, many may not have a clear idea. About one-third of (ISC)²'s respondents say organizations' lack of knowledge around security skills is a challenge to career progression.
When asked about the skills most critical to their organization's security posture, 58% said security awareness; the same percentage said risk assessment, analysis, and management. More than half (53%) said security administration, followed by network monitoring (52%), intrusion detection (51%), cloud computing security (51%), and security engineering (51%).
However, Cole points out, a challenge for businesses is soft skills are often not offered in security training – and they are becoming increasingly necessary as security teams are more often required to communicate with the CEO, board members, and technical teams. He suggests soft skills be built into security courses as opposed to having a standalone offering.
Dark Reading's survey found technical professionals who have "people skills" and are good communicators are rare; 52% of respondents say they are hardest to find. "People with experience in environments/industries similar to ours" is equally difficult, they report. Experience with latest technologies (41%), required credentials (32%), and offensive research/pentesting skills (18%) rounded out the list of hard-to-find security skillsets.
Skills listed on a resume mean little if candidates can't prove them. Methods for verifying security skills vary from business to business, says Cole.
Some test them online: candidates are directed to a portal where they complete skills challenges. If they pass, they move on to an in-person interview. Sometimes people are hired directly from these types of challenges without a face-to-face interaction, he explains.
"I think you're going to see more people build skills portals where they get tested before they come in the door," he adds, a tactic that could test for soft skills and raise red flags, if needed.
Still, some companies take the traditional route, bringing in candidates for interviews after they meet at a networking event or receive a resume via email. The applicant will meet with people in the organization and complete a skills assessment after their visit.