Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

12/20/2018
06:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security 101: How Businesses and Schools Bridge the Talent Gap

Security experts share the skills companies are looking for, the skills students are learning, and how to best find talent you need.

Cybersecurity is a fast-moving field and education has a hard time keeping up. Traditional colleges and universities are often behind the curve when it comes to cybersecurity, so how are future security engineers and CISOs learning the ropes? How will companies find them? And, when they do, how can they determine who truly has the skills they're looking for?

The demand for security talent only continues to rise. In its 2018 Cybersecurity Workforce Study, (ISC)² found the global shortage of security experts has hit 2.93 million. More than 63% of respondents report a lack of security staff; 60% say it puts them at moderate to extreme risk.

Security teams are poised to grow. In Dark Reading's survey, "Surviving the IT Security Skills Shortage," researchers learned only 45% of 400 IT and cybersecurity professionals have most of the people they need. Most (82%) planned to keep staffing the same or grow their teams.

Hiring talent takes time. A workforce study by ISACA's Cybersecurity Nexus found more than 25% of organizations take at least six months to fill priority security positions, and more than 40% received fewer than five applications for security roles. Further, 33% of organizations say it's tougher to get management approval for new security staff compared with two years ago.

When they do get approval, security leaders learn talent is incredibly hard to find. Nearly 40% of Dark Reading's respondents say there are plenty of less experienced/trained people available but the most-skilled positions are hard to fill. Thirty-five percent say there is a shortage of IT security professionals at almost every level.

The key to solving the security skills gap lies in education: training people with the right skills and giving them the experience they need to help businesses solve their problems. But what are students learning, and what should they be learning? What skills do businesses really want?

Security Syllabus: How Students Learn

Cloud security is a hot topic in education these days, says Tony Cole, CTO at Attivo Networks. (ISC)², Cybrary, and many other education platforms want to better understand the world's mass migration to cloud computing and the security implications it will bring going forward.

Incident response is another common topic in security education, as is penetration testing. An area Cole says he expected to grow more is cloud analytics, which isn't the topic of many courses. As companies look at their cloud security controls, processes, and policies, they'll need more people with those skills. "That's a huge component of moving to the cloud," Cole explains.

Like IT, programming, and other areas of tech, security is a skill best learned in practice. Nearly half of respondents in (ISC)²'s study say relevant security work experience is the most important qualification for employment, followed by knowledge of advanced security concepts (47%).

Security architecture is another important area, Cole says, and more university programs are beginning to offer it. The problem is students have little to no operational experience. "There's going to be a significant shortage for awhile until we incorporate recent grads into organizations and provide operational experience for them." One tactic could be offering internship experiences to undergraduates so they enter the workforce with real-world skills.

Cole points to a need for cybersecurity education in junior colleges and vocational programs. "We need to start at a lower level if we're going to get people interested in this," he adds.

When it comes to building their security skillsets, many students take courses at universities or colleges; some rely on conferences or online classes. Others learn skills via bug hunting. Businesses are now also getting into the trend of offering education to their employees.

"Most organizations you see today, and most I've been at, are trying to cut costs by going to online curricula," says Cole. "It's on demand, [employees] can pull it out any time."

Some institutions aim to offer real-life experience through competition. New York University's Tandon School of Engineering, for example, annually hosts a student-run cybersecurity competition dubbed CSAW. This year, its 15th running, saw 3,500 teams from more than 100 countries complete challenges designed by New York City's top ethical hackers.

"You cannot really teach about security by lecturing in a classroom," says Nasir Memon, professor in the department of computer science and engineering at NYU Tandon. "You have to understand how attackers work." High school and college students can test their hacking and defensive skills, compete against red teams or blue teams in an embedded security challenge, or show off their knowledge of security policy, applied research, and forensic analysis.

"It's a nice way to attract students to this discipline," Memon says. "Fifteen years back, security was not in people's minds." Students who compete often go on to pursue cybersecurity careers; those who don't often have a strong security foundation in software engineering or other roles.

Staffing Shortage: What Businesses Need

"There's a pretty good overlap," says Cole of the skillsets students are learning and those businesses want. Still, many may not have a clear idea. About one-third of (ISC)²'s respondents say organizations' lack of knowledge around security skills is a challenge to career progression.

When asked about the skills most critical to their organization's security posture, 58% said security awareness; the same percentage said risk assessment, analysis, and management. More than half (53%) said security administration, followed by network monitoring (52%), intrusion detection (51%), cloud computing security (51%), and security engineering (51%).

However, Cole points out, a challenge for businesses is soft skills are often not offered in security training – and they are becoming increasingly necessary as security teams are more often required to communicate with the CEO, board members, and technical teams. He suggests soft skills be built into security courses as opposed to having a standalone offering.

Dark Reading's survey found technical professionals who have "people skills" and are good communicators are rare; 52% of respondents say they are hardest to find. "People with experience in environments/industries similar to ours" is equally difficult, they report. Experience with latest technologies (41%), required credentials (32%), and offensive research/pentesting skills (18%) rounded out the list of hard-to-find security skillsets.

Verifying Skillsets

Skills listed on a resume mean little if candidates can't prove them. Methods for verifying security skills vary from business to business, says Cole.

Some test them online: candidates are directed to a portal where they complete skills challenges. If they pass, they move on to an in-person interview. Sometimes people are hired directly from these types of challenges without a face-to-face interaction, he explains.

"I think you're going to see more people build skills portals where they get tested before they come in the door," he adds, a tactic that could test for soft skills and raise red flags, if needed.

Still, some companies take the traditional route, bringing in candidates for interviews after they meet at a networking event or receive a resume via email. The applicant will meet with people in the organization and complete a skills assessment after their visit.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
TiaGilbert
50%
50%
TiaGilbert,
User Rank: Apprentice
9/23/2020 | 6:54:09 PM
Article
Good article!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...