Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

12/1/2020
02:00 PM
Sander Vinberg
Sander Vinberg
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Cybersecurity Skills Gap: It Doesn't Have to Be This Way

Once it becomes clear that off-the-shelf experts aren't realistic at scale, cultivating entry-level talent emerges as the only long-term solution -- not just for a hiring organization but for the field as a whole.

The cybersecurity skills gap has become an unavoidable lament. This is the commonplace idea that both the quality and quantity of candidates are falling short of what the industry needs to fulfill its mission. You usually see it framed in terms of x number of unfilled positions, or with a quote from an exasperated CISO that her new hires aren't ready to rock. The ramifications of this gap often look very dire — critical infrastructure threatened, lives lost, intellectual property pilfered, geopolitical advantages squandered, and won't-somebody-please-think-of-the-children?

Related Content:

SANS Launches New CyberStart Program for All High School Students

The Changing Face of Threat Intelligence

How to Decipher InfoSec Job Titles' Mysteries

To be sure, there are issues around security staffing and career paths. However, this skills gap is often presented as a criticism by hiring organizations of both security training and the sheer brainpower of the candidates, and it doesn't add up. The hiring organizations are both framing this problem in the wrong way and contributing to the problem themselves.

Looking for the Wrong Thing
The most obvious problem with security hiring is that there is virtually no ground floor. We consistently see job postings for entry-level positions that expect five years of experience or hands-on experience with expensive enterprise tools. Everybody hopes that someone else will put in the work of teaching candidates the ropes, but nobody wants to pay for the experience that they demand. Instead, despairing of finding good people, many directors turn to vendor solutions, which only widens the gap. This bait-and-switch not only leaves new candidates stranded but also makes the career path look comparatively bad. Why would you spend years in security internships if you could make good money immediately as a front-end dev? This leads to the next problem.

Looking in the Wrong Place
We're incorrectly defining the task. Many job postings use a computer science degree as a baseline prerequisite. However, most computer science students want to write software, so even if they're drawn to security, they're more likely to become engineers of security products than operators. Furthermore, the knowledge bases of security and computer science continue to grow apart. Security has grown into a field that looks different depending on how you look at it. If you try to define it as a technological problem, it morphs into a management problem. If you try to define it as a management problem, it morphs into a social problem, and so on. It's certainly not just a subset of computer science, which is why hiring this way is counterproductive.

Perhaps the biggest problem with security staffing, however, is that the field is increasingly segmented into roles with long learning curves and exclusive knowledge. A penetration tester is not exchangeable for a firewall engineer, or a security operations center analyst — much less a cryptography specialist or an auditor. It would take months or years to change specializations and reach full productivity, even for experienced people. Security is a field that demands a commitment to lifelong learning no matter how intelligent or knowledgeable you are, which makes the idea of a turnkey candidate look more like a unicorn and less like a hiring strategy for people all along the career path.

A New Path Forward
In short, many organizations are looking for the wrong thing in the wrong places and blaming newcomers for it. There is, however, another way. Once it becomes clear that off-the-shelf experts aren't realistic at scale, cultivating entry-level talent emerges as the only long-term solution — not just for a hiring organization but for the field as a whole. For these reasons, and not out of altruism, it's better to find new talent pools filled with people who are motivated and intellectually curious about the very idea of security, and coach them from the ground up. Diversity and inclusion are complex problems, so I'll just briefly mention that there is a wealth of people from "nontraditional" backgrounds who historically haven't gotten a chance, despite being talented, motivated, and extraordinarily resilient. Clever hiring managers will give these folks a shot!

It's possible many people are objecting at this point on the basis of urgency. Attackers don't wait for us to get our houses in order, and attacks are happening all around us. At the same time, to steal my colleague's line about incident response, if all you do is fight fires, that's all you will ever do. While it takes time to become a hotshot, the right candidates can still contribute in their first week, and will cost less in salary while they come up to speed. Meanwhile, things change so fast that some of the prerequisite knowledge on current postings will become obsolete, replaced by new platforms, new perspectives, or new buzzwords. Conversely, a fundamental interest in security as a constellation of messy solutions for messy problems will always be relevant.

So yes, the skills gap exists, and hiring is hard. Formulating the gap as strictly the candidates' responsibility is a disservice to everyone, including hiring organizations. The result is that security has become as much a field of products as a field of experts. The organizations that buck this trend early and take the homegrown path will find themselves awash with motivated talent, while those who hold out will continue to find excuses for why they can't find the right hire.

Sander Vinberg is a Threat Research Evangelist for F5 Labs. As the current lead researcher of the F5 Labs Application Protection Research Series, he has been focusing on the relationship between application architecture and risk, and recently presented research at RSA 2020, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SyntaxError
50%
50%
SyntaxError,
User Rank: Apprentice
12/9/2020 | 5:00:33 PM
Mind The Gap - But Don't Mind Me
I am the gap. A recovering lawyer turned IT security newbie, I can tell you firsthand that I have found many transferable skills that were not just relevant to Cybersecurity, they became essential to my ability to assimilate the skills needed to grow in my new field. As you correctly point out, the "5 years of experience" required for entry-level jobs has me looking for both a new path and a noose, simultaneously. You are discussing a very important point here and I want to thank you for taking the time to do so. The point I would like to make is that professionals like me can be effective right away. In fact, I can learn at near lightning speed when I am challenged to complete actual tasks in a work environment as opposed to just doing labs on VMware. You are completely correct, the ask must be altered to allow for the expansion of knowledge and skills into the eager beaver newcomers like myself. If, for instance, we were not required to have 5 years of experience, but required to obtain a CEH certification within 6 months of hire and be proficient in Kali Linux after 30 days of shadowing employees who are, then I would succeed and continue to grow very quickly exemplifying "5 years of experience" in 6 months or less. Measure us newbies by our ability to apply and expand our knowledge and you will find the impossible hires that you seek.
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting