The cybersecurity skills gap has become an unavoidable lament. This is the commonplace idea that both the quality and quantity of candidates are falling short of what the industry needs to fulfill its mission. You usually see it framed in terms of x number of unfilled positions, or with a quote from an exasperated CISO that her new hires aren't ready to rock. The ramifications of this gap often look very dire — critical infrastructure threatened, lives lost, intellectual property pilfered, geopolitical advantages squandered, and won't-somebody-please-think-of-the-children?
To be sure, there are issues around security staffing and career paths. However, this skills gap is often presented as a criticism by hiring organizations of both security training and the sheer brainpower of the candidates, and it doesn't add up. The hiring organizations are both framing this problem in the wrong way and contributing to the problem themselves.
Looking for the Wrong Thing
The most obvious problem with security hiring is that there is virtually no ground floor. We consistently see job postings for entry-level positions that expect five years of experience or hands-on experience with expensive enterprise tools. Everybody hopes that someone else will put in the work of teaching candidates the ropes, but nobody wants to pay for the experience that they demand. Instead, despairing of finding good people, many directors turn to vendor solutions, which only widens the gap. This bait-and-switch not only leaves new candidates stranded but also makes the career path look comparatively bad. Why would you spend years in security internships if you could make good money immediately as a front-end dev? This leads to the next problem.
Looking in the Wrong Place
We're incorrectly defining the task. Many job postings use a computer science degree as a baseline prerequisite. However, most computer science students want to write software, so even if they're drawn to security, they're more likely to become engineers of security products than operators. Furthermore, the knowledge bases of security and computer science continue to grow apart. Security has grown into a field that looks different depending on how you look at it. If you try to define it as a technological problem, it morphs into a management problem. If you try to define it as a management problem, it morphs into a social problem, and so on. It's certainly not just a subset of computer science, which is why hiring this way is counterproductive.
Perhaps the biggest problem with security staffing, however, is that the field is increasingly segmented into roles with long learning curves and exclusive knowledge. A penetration tester is not exchangeable for a firewall engineer, or a security operations center analyst — much less a cryptography specialist or an auditor. It would take months or years to change specializations and reach full productivity, even for experienced people. Security is a field that demands a commitment to lifelong learning no matter how intelligent or knowledgeable you are, which makes the idea of a turnkey candidate look more like a unicorn and less like a hiring strategy for people all along the career path.
A New Path Forward
In short, many organizations are looking for the wrong thing in the wrong places and blaming newcomers for it. There is, however, another way. Once it becomes clear that off-the-shelf experts aren't realistic at scale, cultivating entry-level talent emerges as the only long-term solution — not just for a hiring organization but for the field as a whole. For these reasons, and not out of altruism, it's better to find new talent pools filled with people who are motivated and intellectually curious about the very idea of security, and coach them from the ground up. Diversity and inclusion are complex problems, so I'll just briefly mention that there is a wealth of people from "nontraditional" backgrounds who historically haven't gotten a chance, despite being talented, motivated, and extraordinarily resilient. Clever hiring managers will give these folks a shot!
It's possible many people are objecting at this point on the basis of urgency. Attackers don't wait for us to get our houses in order, and attacks are happening all around us. At the same time, to steal my colleague's line about incident response, if all you do is fight fires, that's all you will ever do. While it takes time to become a hotshot, the right candidates can still contribute in their first week, and will cost less in salary while they come up to speed. Meanwhile, things change so fast that some of the prerequisite knowledge on current postings will become obsolete, replaced by new platforms, new perspectives, or new buzzwords. Conversely, a fundamental interest in security as a constellation of messy solutions for messy problems will always be relevant.
So yes, the skills gap exists, and hiring is hard. Formulating the gap as strictly the candidates' responsibility is a disservice to everyone, including hiring organizations. The result is that security has become as much a field of products as a field of experts. The organizations that buck this trend early and take the homegrown path will find themselves awash with motivated talent, while those who hold out will continue to find excuses for why they can't find the right hire.