Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:00 PM
Sander Vinberg
Sander Vinberg
Connect Directly
E-Mail vvv

The Cybersecurity Skills Gap: It Doesn't Have to Be This Way

Once it becomes clear that off-the-shelf experts aren't realistic at scale, cultivating entry-level talent emerges as the only long-term solution -- not just for a hiring organization but for the field as a whole.

The cybersecurity skills gap has become an unavoidable lament. This is the commonplace idea that both the quality and quantity of candidates are falling short of what the industry needs to fulfill its mission. You usually see it framed in terms of x number of unfilled positions, or with a quote from an exasperated CISO that her new hires aren't ready to rock. The ramifications of this gap often look very dire — critical infrastructure threatened, lives lost, intellectual property pilfered, geopolitical advantages squandered, and won't-somebody-please-think-of-the-children?

Related Content:

SANS Launches New CyberStart Program for All High School Students

The Changing Face of Threat Intelligence

How to Decipher InfoSec Job Titles' Mysteries

To be sure, there are issues around security staffing and career paths. However, this skills gap is often presented as a criticism by hiring organizations of both security training and the sheer brainpower of the candidates, and it doesn't add up. The hiring organizations are both framing this problem in the wrong way and contributing to the problem themselves.

Looking for the Wrong Thing
The most obvious problem with security hiring is that there is virtually no ground floor. We consistently see job postings for entry-level positions that expect five years of experience or hands-on experience with expensive enterprise tools. Everybody hopes that someone else will put in the work of teaching candidates the ropes, but nobody wants to pay for the experience that they demand. Instead, despairing of finding good people, many directors turn to vendor solutions, which only widens the gap. This bait-and-switch not only leaves new candidates stranded but also makes the career path look comparatively bad. Why would you spend years in security internships if you could make good money immediately as a front-end dev? This leads to the next problem.

Looking in the Wrong Place
We're incorrectly defining the task. Many job postings use a computer science degree as a baseline prerequisite. However, most computer science students want to write software, so even if they're drawn to security, they're more likely to become engineers of security products than operators. Furthermore, the knowledge bases of security and computer science continue to grow apart. Security has grown into a field that looks different depending on how you look at it. If you try to define it as a technological problem, it morphs into a management problem. If you try to define it as a management problem, it morphs into a social problem, and so on. It's certainly not just a subset of computer science, which is why hiring this way is counterproductive.

Perhaps the biggest problem with security staffing, however, is that the field is increasingly segmented into roles with long learning curves and exclusive knowledge. A penetration tester is not exchangeable for a firewall engineer, or a security operations center analyst — much less a cryptography specialist or an auditor. It would take months or years to change specializations and reach full productivity, even for experienced people. Security is a field that demands a commitment to lifelong learning no matter how intelligent or knowledgeable you are, which makes the idea of a turnkey candidate look more like a unicorn and less like a hiring strategy for people all along the career path.

A New Path Forward
In short, many organizations are looking for the wrong thing in the wrong places and blaming newcomers for it. There is, however, another way. Once it becomes clear that off-the-shelf experts aren't realistic at scale, cultivating entry-level talent emerges as the only long-term solution — not just for a hiring organization but for the field as a whole. For these reasons, and not out of altruism, it's better to find new talent pools filled with people who are motivated and intellectually curious about the very idea of security, and coach them from the ground up. Diversity and inclusion are complex problems, so I'll just briefly mention that there is a wealth of people from "nontraditional" backgrounds who historically haven't gotten a chance, despite being talented, motivated, and extraordinarily resilient. Clever hiring managers will give these folks a shot!

It's possible many people are objecting at this point on the basis of urgency. Attackers don't wait for us to get our houses in order, and attacks are happening all around us. At the same time, to steal my colleague's line about incident response, if all you do is fight fires, that's all you will ever do. While it takes time to become a hotshot, the right candidates can still contribute in their first week, and will cost less in salary while they come up to speed. Meanwhile, things change so fast that some of the prerequisite knowledge on current postings will become obsolete, replaced by new platforms, new perspectives, or new buzzwords. Conversely, a fundamental interest in security as a constellation of messy solutions for messy problems will always be relevant.

So yes, the skills gap exists, and hiring is hard. Formulating the gap as strictly the candidates' responsibility is a disservice to everyone, including hiring organizations. The result is that security has become as much a field of products as a field of experts. The organizations that buck this trend early and take the homegrown path will find themselves awash with motivated talent, while those who hold out will continue to find excuses for why they can't find the right hire.

Sander Vinberg is a Threat Research Evangelist for F5 Labs. As the current lead researcher of the F5 Labs Application Protection Research Series, he has been focusing on the relationship between application architecture and risk, and recently presented research at RSA 2020, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/9/2020 | 5:00:33 PM
Mind The Gap - But Don't Mind Me
I am the gap. A recovering lawyer turned IT security newbie, I can tell you firsthand that I have found many transferable skills that were not just relevant to Cybersecurity, they became essential to my ability to assimilate the skills needed to grow in my new field. As you correctly point out, the "5 years of experience" required for entry-level jobs has me looking for both a new path and a noose, simultaneously. You are discussing a very important point here and I want to thank you for taking the time to do so. The point I would like to make is that professionals like me can be effective right away. In fact, I can learn at near lightning speed when I am challenged to complete actual tasks in a work environment as opposed to just doing labs on VMware. You are completely correct, the ask must be altered to allow for the expansion of knowledge and skills into the eager beaver newcomers like myself. If, for instance, we were not required to have 5 years of experience, but required to obtain a CEH certification within 6 months of hire and be proficient in Kali Linux after 30 days of shadowing employees who are, then I would succeed and continue to grow very quickly exemplifying "5 years of experience" in 6 months or less. Measure us newbies by our ability to apply and expand our knowledge and you will find the impossible hires that you seek.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to This issue does not affect: QNAP...
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.