Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:00 PM
Sander Vinberg
Sander Vinberg
Connect Directly
E-Mail vvv

The Cybersecurity Skills Gap: It Doesn't Have to Be This Way

Once it becomes clear that off-the-shelf experts aren't realistic at scale, cultivating entry-level talent emerges as the only long-term solution -- not just for a hiring organization but for the field as a whole.

The cybersecurity skills gap has become an unavoidable lament. This is the commonplace idea that both the quality and quantity of candidates are falling short of what the industry needs to fulfill its mission. You usually see it framed in terms of x number of unfilled positions, or with a quote from an exasperated CISO that her new hires aren't ready to rock. The ramifications of this gap often look very dire — critical infrastructure threatened, lives lost, intellectual property pilfered, geopolitical advantages squandered, and won't-somebody-please-think-of-the-children?

Related Content:

SANS Launches New CyberStart Program for All High School Students

The Changing Face of Threat Intelligence

How to Decipher InfoSec Job Titles' Mysteries

To be sure, there are issues around security staffing and career paths. However, this skills gap is often presented as a criticism by hiring organizations of both security training and the sheer brainpower of the candidates, and it doesn't add up. The hiring organizations are both framing this problem in the wrong way and contributing to the problem themselves.

Looking for the Wrong Thing
The most obvious problem with security hiring is that there is virtually no ground floor. We consistently see job postings for entry-level positions that expect five years of experience or hands-on experience with expensive enterprise tools. Everybody hopes that someone else will put in the work of teaching candidates the ropes, but nobody wants to pay for the experience that they demand. Instead, despairing of finding good people, many directors turn to vendor solutions, which only widens the gap. This bait-and-switch not only leaves new candidates stranded but also makes the career path look comparatively bad. Why would you spend years in security internships if you could make good money immediately as a front-end dev? This leads to the next problem.

Looking in the Wrong Place
We're incorrectly defining the task. Many job postings use a computer science degree as a baseline prerequisite. However, most computer science students want to write software, so even if they're drawn to security, they're more likely to become engineers of security products than operators. Furthermore, the knowledge bases of security and computer science continue to grow apart. Security has grown into a field that looks different depending on how you look at it. If you try to define it as a technological problem, it morphs into a management problem. If you try to define it as a management problem, it morphs into a social problem, and so on. It's certainly not just a subset of computer science, which is why hiring this way is counterproductive.

Perhaps the biggest problem with security staffing, however, is that the field is increasingly segmented into roles with long learning curves and exclusive knowledge. A penetration tester is not exchangeable for a firewall engineer, or a security operations center analyst — much less a cryptography specialist or an auditor. It would take months or years to change specializations and reach full productivity, even for experienced people. Security is a field that demands a commitment to lifelong learning no matter how intelligent or knowledgeable you are, which makes the idea of a turnkey candidate look more like a unicorn and less like a hiring strategy for people all along the career path.

A New Path Forward
In short, many organizations are looking for the wrong thing in the wrong places and blaming newcomers for it. There is, however, another way. Once it becomes clear that off-the-shelf experts aren't realistic at scale, cultivating entry-level talent emerges as the only long-term solution — not just for a hiring organization but for the field as a whole. For these reasons, and not out of altruism, it's better to find new talent pools filled with people who are motivated and intellectually curious about the very idea of security, and coach them from the ground up. Diversity and inclusion are complex problems, so I'll just briefly mention that there is a wealth of people from "nontraditional" backgrounds who historically haven't gotten a chance, despite being talented, motivated, and extraordinarily resilient. Clever hiring managers will give these folks a shot!

It's possible many people are objecting at this point on the basis of urgency. Attackers don't wait for us to get our houses in order, and attacks are happening all around us. At the same time, to steal my colleague's line about incident response, if all you do is fight fires, that's all you will ever do. While it takes time to become a hotshot, the right candidates can still contribute in their first week, and will cost less in salary while they come up to speed. Meanwhile, things change so fast that some of the prerequisite knowledge on current postings will become obsolete, replaced by new platforms, new perspectives, or new buzzwords. Conversely, a fundamental interest in security as a constellation of messy solutions for messy problems will always be relevant.

So yes, the skills gap exists, and hiring is hard. Formulating the gap as strictly the candidates' responsibility is a disservice to everyone, including hiring organizations. The result is that security has become as much a field of products as a field of experts. The organizations that buck this trend early and take the homegrown path will find themselves awash with motivated talent, while those who hold out will continue to find excuses for why they can't find the right hire.

Sander Vinberg is a Threat Research Evangelist for F5 Labs. As the current lead researcher of the F5 Labs Application Protection Research Series, he has been focusing on the relationship between application architecture and risk, and recently presented research at RSA 2020, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/9/2020 | 5:00:33 PM
Mind The Gap - But Don't Mind Me
I am the gap. A recovering lawyer turned IT security newbie, I can tell you firsthand that I have found many transferable skills that were not just relevant to Cybersecurity, they became essential to my ability to assimilate the skills needed to grow in my new field. As you correctly point out, the "5 years of experience" required for entry-level jobs has me looking for both a new path and a noose, simultaneously. You are discussing a very important point here and I want to thank you for taking the time to do so. The point I would like to make is that professionals like me can be effective right away. In fact, I can learn at near lightning speed when I am challenged to complete actual tasks in a work environment as opposed to just doing labs on VMware. You are completely correct, the ask must be altered to allow for the expansion of knowledge and skills into the eager beaver newcomers like myself. If, for instance, we were not required to have 5 years of experience, but required to obtain a CEH certification within 6 months of hire and be proficient in Kali Linux after 30 days of shadowing employees who are, then I would succeed and continue to grow very quickly exemplifying "5 years of experience" in 6 months or less. Measure us newbies by our ability to apply and expand our knowledge and you will find the impossible hires that you seek.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...