Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

06:05 PM
Connect Directly

Security 101: How Businesses and Schools Bridge the Talent Gap

Security experts share the skills companies are looking for, the skills students are learning, and how to best find talent you need.

Cybersecurity is a fast-moving field and education has a hard time keeping up. Traditional colleges and universities are often behind the curve when it comes to cybersecurity, so how are future security engineers and CISOs learning the ropes? How will companies find them? And, when they do, how can they determine who truly has the skills they're looking for?

The demand for security talent only continues to rise. In its 2018 Cybersecurity Workforce Study, (ISC)² found the global shortage of security experts has hit 2.93 million. More than 63% of respondents report a lack of security staff; 60% say it puts them at moderate to extreme risk.

Security teams are poised to grow. In Dark Reading's survey, "Surviving the IT Security Skills Shortage," researchers learned only 45% of 400 IT and cybersecurity professionals have most of the people they need. Most (82%) planned to keep staffing the same or grow their teams.

Hiring talent takes time. A workforce study by ISACA's Cybersecurity Nexus found more than 25% of organizations take at least six months to fill priority security positions, and more than 40% received fewer than five applications for security roles. Further, 33% of organizations say it's tougher to get management approval for new security staff compared with two years ago.

When they do get approval, security leaders learn talent is incredibly hard to find. Nearly 40% of Dark Reading's respondents say there are plenty of less experienced/trained people available but the most-skilled positions are hard to fill. Thirty-five percent say there is a shortage of IT security professionals at almost every level.

The key to solving the security skills gap lies in education: training people with the right skills and giving them the experience they need to help businesses solve their problems. But what are students learning, and what should they be learning? What skills do businesses really want?

Security Syllabus: How Students Learn

Cloud security is a hot topic in education these days, says Tony Cole, CTO at Attivo Networks. (ISC)², Cybrary, and many other education platforms want to better understand the world's mass migration to cloud computing and the security implications it will bring going forward.

Incident response is another common topic in security education, as is penetration testing. An area Cole says he expected to grow more is cloud analytics, which isn't the topic of many courses. As companies look at their cloud security controls, processes, and policies, they'll need more people with those skills. "That's a huge component of moving to the cloud," Cole explains.

Like IT, programming, and other areas of tech, security is a skill best learned in practice. Nearly half of respondents in (ISC)²'s study say relevant security work experience is the most important qualification for employment, followed by knowledge of advanced security concepts (47%).

Security architecture is another important area, Cole says, and more university programs are beginning to offer it. The problem is students have little to no operational experience. "There's going to be a significant shortage for awhile until we incorporate recent grads into organizations and provide operational experience for them." One tactic could be offering internship experiences to undergraduates so they enter the workforce with real-world skills.

Cole points to a need for cybersecurity education in junior colleges and vocational programs. "We need to start at a lower level if we're going to get people interested in this," he adds.

When it comes to building their security skillsets, many students take courses at universities or colleges; some rely on conferences or online classes. Others learn skills via bug hunting. Businesses are now also getting into the trend of offering education to their employees.

"Most organizations you see today, and most I've been at, are trying to cut costs by going to online curricula," says Cole. "It's on demand, [employees] can pull it out any time."

Some institutions aim to offer real-life experience through competition. New York University's Tandon School of Engineering, for example, annually hosts a student-run cybersecurity competition dubbed CSAW. This year, its 15th running, saw 3,500 teams from more than 100 countries complete challenges designed by New York City's top ethical hackers.

"You cannot really teach about security by lecturing in a classroom," says Nasir Memon, professor in the department of computer science and engineering at NYU Tandon. "You have to understand how attackers work." High school and college students can test their hacking and defensive skills, compete against red teams or blue teams in an embedded security challenge, or show off their knowledge of security policy, applied research, and forensic analysis.

"It's a nice way to attract students to this discipline," Memon says. "Fifteen years back, security was not in people's minds." Students who compete often go on to pursue cybersecurity careers; those who don't often have a strong security foundation in software engineering or other roles.

Staffing Shortage: What Businesses Need

"There's a pretty good overlap," says Cole of the skillsets students are learning and those businesses want. Still, many may not have a clear idea. About one-third of (ISC)²'s respondents say organizations' lack of knowledge around security skills is a challenge to career progression.

When asked about the skills most critical to their organization's security posture, 58% said security awareness; the same percentage said risk assessment, analysis, and management. More than half (53%) said security administration, followed by network monitoring (52%), intrusion detection (51%), cloud computing security (51%), and security engineering (51%).

However, Cole points out, a challenge for businesses is soft skills are often not offered in security training – and they are becoming increasingly necessary as security teams are more often required to communicate with the CEO, board members, and technical teams. He suggests soft skills be built into security courses as opposed to having a standalone offering.

Dark Reading's survey found technical professionals who have "people skills" and are good communicators are rare; 52% of respondents say they are hardest to find. "People with experience in environments/industries similar to ours" is equally difficult, they report. Experience with latest technologies (41%), required credentials (32%), and offensive research/pentesting skills (18%) rounded out the list of hard-to-find security skillsets.

Verifying Skillsets

Skills listed on a resume mean little if candidates can't prove them. Methods for verifying security skills vary from business to business, says Cole.

Some test them online: candidates are directed to a portal where they complete skills challenges. If they pass, they move on to an in-person interview. Sometimes people are hired directly from these types of challenges without a face-to-face interaction, he explains.

"I think you're going to see more people build skills portals where they get tested before they come in the door," he adds, a tactic that could test for soft skills and raise red flags, if needed.

Still, some companies take the traditional route, bringing in candidates for interviews after they meet at a networking event or receive a resume via email. The applicant will meet with people in the organization and complete a skills assessment after their visit.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.