Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

12/20/2018
06:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security 101: How Businesses and Schools Bridge the Talent Gap

Security experts share the skills companies are looking for, the skills students are learning, and how to best find talent you need.

Cybersecurity is a fast-moving field and education has a hard time keeping up. Traditional colleges and universities are often behind the curve when it comes to cybersecurity, so how are future security engineers and CISOs learning the ropes? How will companies find them? And, when they do, how can they determine who truly has the skills they're looking for?

The demand for security talent only continues to rise. In its 2018 Cybersecurity Workforce Study, (ISC)² found the global shortage of security experts has hit 2.93 million. More than 63% of respondents report a lack of security staff; 60% say it puts them at moderate to extreme risk.

Security teams are poised to grow. In Dark Reading's survey, "Surviving the IT Security Skills Shortage," researchers learned only 45% of 400 IT and cybersecurity professionals have most of the people they need. Most (82%) planned to keep staffing the same or grow their teams.

Hiring talent takes time. A workforce study by ISACA's Cybersecurity Nexus found more than 25% of organizations take at least six months to fill priority security positions, and more than 40% received fewer than five applications for security roles. Further, 33% of organizations say it's tougher to get management approval for new security staff compared with two years ago.

When they do get approval, security leaders learn talent is incredibly hard to find. Nearly 40% of Dark Reading's respondents say there are plenty of less experienced/trained people available but the most-skilled positions are hard to fill. Thirty-five percent say there is a shortage of IT security professionals at almost every level.

The key to solving the security skills gap lies in education: training people with the right skills and giving them the experience they need to help businesses solve their problems. But what are students learning, and what should they be learning? What skills do businesses really want?

Security Syllabus: How Students Learn

Cloud security is a hot topic in education these days, says Tony Cole, CTO at Attivo Networks. (ISC)², Cybrary, and many other education platforms want to better understand the world's mass migration to cloud computing and the security implications it will bring going forward.

Incident response is another common topic in security education, as is penetration testing. An area Cole says he expected to grow more is cloud analytics, which isn't the topic of many courses. As companies look at their cloud security controls, processes, and policies, they'll need more people with those skills. "That's a huge component of moving to the cloud," Cole explains.

Like IT, programming, and other areas of tech, security is a skill best learned in practice. Nearly half of respondents in (ISC)²'s study say relevant security work experience is the most important qualification for employment, followed by knowledge of advanced security concepts (47%).

Security architecture is another important area, Cole says, and more university programs are beginning to offer it. The problem is students have little to no operational experience. "There's going to be a significant shortage for awhile until we incorporate recent grads into organizations and provide operational experience for them." One tactic could be offering internship experiences to undergraduates so they enter the workforce with real-world skills.

Cole points to a need for cybersecurity education in junior colleges and vocational programs. "We need to start at a lower level if we're going to get people interested in this," he adds.

When it comes to building their security skillsets, many students take courses at universities or colleges; some rely on conferences or online classes. Others learn skills via bug hunting. Businesses are now also getting into the trend of offering education to their employees.

"Most organizations you see today, and most I've been at, are trying to cut costs by going to online curricula," says Cole. "It's on demand, [employees] can pull it out any time."

Some institutions aim to offer real-life experience through competition. New York University's Tandon School of Engineering, for example, annually hosts a student-run cybersecurity competition dubbed CSAW. This year, its 15th running, saw 3,500 teams from more than 100 countries complete challenges designed by New York City's top ethical hackers.

"You cannot really teach about security by lecturing in a classroom," says Nasir Memon, professor in the department of computer science and engineering at NYU Tandon. "You have to understand how attackers work." High school and college students can test their hacking and defensive skills, compete against red teams or blue teams in an embedded security challenge, or show off their knowledge of security policy, applied research, and forensic analysis.

"It's a nice way to attract students to this discipline," Memon says. "Fifteen years back, security was not in people's minds." Students who compete often go on to pursue cybersecurity careers; those who don't often have a strong security foundation in software engineering or other roles.

Staffing Shortage: What Businesses Need

"There's a pretty good overlap," says Cole of the skillsets students are learning and those businesses want. Still, many may not have a clear idea. About one-third of (ISC)²'s respondents say organizations' lack of knowledge around security skills is a challenge to career progression.

When asked about the skills most critical to their organization's security posture, 58% said security awareness; the same percentage said risk assessment, analysis, and management. More than half (53%) said security administration, followed by network monitoring (52%), intrusion detection (51%), cloud computing security (51%), and security engineering (51%).

However, Cole points out, a challenge for businesses is soft skills are often not offered in security training – and they are becoming increasingly necessary as security teams are more often required to communicate with the CEO, board members, and technical teams. He suggests soft skills be built into security courses as opposed to having a standalone offering.

Dark Reading's survey found technical professionals who have "people skills" and are good communicators are rare; 52% of respondents say they are hardest to find. "People with experience in environments/industries similar to ours" is equally difficult, they report. Experience with latest technologies (41%), required credentials (32%), and offensive research/pentesting skills (18%) rounded out the list of hard-to-find security skillsets.

Verifying Skillsets

Skills listed on a resume mean little if candidates can't prove them. Methods for verifying security skills vary from business to business, says Cole.

Some test them online: candidates are directed to a portal where they complete skills challenges. If they pass, they move on to an in-person interview. Sometimes people are hired directly from these types of challenges without a face-to-face interaction, he explains.

"I think you're going to see more people build skills portals where they get tested before they come in the door," he adds, a tactic that could test for soft skills and raise red flags, if needed.

Still, some companies take the traditional route, bringing in candidates for interviews after they meet at a networking event or receive a resume via email. The applicant will meet with people in the organization and complete a skills assessment after their visit.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19645
PUBLISHED: 2019-12-09
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVE-2019-19678
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
CVE-2019-19679
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.