Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:30 PM
James Hadley
James Hadley
Connect Directly
E-Mail vvv

To Narrow the Cyber Skills Gap with Attackers, Cut the Red Tape

Attackers are getting further ahead, and entrenched corporate rules shoulder much of the blame.

In recent years, the cyber skills gap between attackers and defenders has widened. Corporate security teams — their hands tied by budget constraints, box-ticking exercises, internal politics, and outdated training — are struggling to catch up. More than half of organizations now consider the shortage of adequately trained cybersecurity professionals to be a major problem.

Attackers, on the other hand, have no such problem. Unfettered by corporate issues, they operate in the type of purist environment in which technical talent thrives. They "learn by doing" — continually coming up with creative ideas to solve a problem, rewarding curiosity and perseverance, and encouraging innovation. Because of this, they remain steadfastly in the lead. While many companies talk about a need to address the cyber skills gap, few are challenging existing norms. The security sector is good at tearing up rule books, so it's about time this applied to skills development.

Deeply embedded legacy process lies at the heart of an organization's cyber skills gap. For example, HR teams typically are involved in the hiring of cyber talent. Not that this is wrong, but while filtering candidates, an absence of specialized technical knowledge is often compensated for by an overreliance on formal accreditations and certifications.

Although certifications do have relevance and carry weight, they can also exclude genuine talent. They rely on the person having the time and resources to undertake them in the first place, discounting those who don't have either or even possess the mindset to do structured courses in the first place. As many in the industry know, raw, unstructured talent often is the best.

To this point, skills gained through experience and creative thinking bring immeasurable depth to a security team. Much classroom-based training neglects this, using passive listen-and-learn methods that don't always appeal to the personality types of high-performing cybersecurity talent. The most effective cybersecurity professionals want to learn on the job. Naturally inquisitive, they prefer to take things apart and find out how they operate. This is a self-learned skill and it is deeply personal, not something that can be dictated.

An organization's internal people structures also stop the right skills getting to the right place. Rigid hierarchies enforced by subtle work politics still dominate security teams, meaning those responsible for specific areas are not always the best qualified but simply people with more time in the game. This is where such teams can learn from their foes. Attackers put more stock in the idea of a meritocracy. If someone is a better malware writer, they write malware — letting the expert social engineer worry about hooking people with a targeted phish.  

Speed of response — the main issue that dominates any cybersecurity countermeasure — is also the single biggest problem for any organization when it comes to closing the skills gap. If security skills are ever expected to keep up with those of an attacker, they must be updated as regularly and often as attacks change. This is not happening in the majority of cases. Malware morphs continuously, domains are generated randomly, and Web app attacks are dynamic, yet training happens the third Thursday in the last month of the quarter.

This factor is widening the gap between attack and defense more than any other factor. Current training approaches mean that the skills learned are often out of date by the time the person leaves the classroom. Cyber skills training needs to be continuous to be relevant. You wouldn't expect your technical defenses to operate on outdated threat intel, so why your human ones?

Here Are Some Steps to Cut Through the Red Tape

  • Look for demonstrable skills and experience rather than just formal qualifications.
  • Include a skills-based test as part of the recruitment process.
  • Ensure a cybersecurity professional — third party if necessary — is involved throughout the entire process.
  • Gamify training — story-driven wargames will allow teams and individuals to hone their skills in "real life" situations.
  • Base any training on real-time threat intelligence to assure greater preparedness.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.


James Hadley founded Immersive Labs in January 2017 after delivering GCHQ's cyber summer school. It was during these sessions he realized that passive, classroom-based learning doesn't suit the people, or pace, of cybersecurity. Not only did the content date quickly, its ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/22/2019 | 3:17:32 AM
The Offensive Security Model
This is one of the most re-hashed complaints in tech and for a reason.  Since the Nineties I've been working in tech and always sought out work where part of the interview process put me in front of a terminal.  Even the certifications I've obtained I leave off my resume because getting a job based off certs my last company footed the bill for means I didn't prove myself to the new employer.  Give the candidate a pile of parts and have them build a PC/server/laptop, install an OS, configure a network; break into the network.  Don't tell me what you've done, show me what you can do.

For InfoSec, just as in respected certs for Linux, the model must include partial book work and paper tests, but the majority has to be hands-on execution, proof of knowledge, or no cert.  Companies who want to obtain quality employees and keep them will adopt a similar model, including some of the recommendations in this article.  Implement an intensive hands-on interview process, "show me".  Implement a regular boot-camp with capture the flag (CTF) events to keep employees sharp; encourage gamification.

It's amazing how quickly the weak links are identified when your models become interactive - combative - and stop being passive.  If you're serious about your security and the integrity of your network, background checks and onsite hands-on proof of skill should be priority one, paper an afterthought.   
User Rank: Ninja
5/21/2019 | 3:43:39 PM
They are paper proving you passed a test.  In a sense, great but mostly not so much.  Experience in the field counts and that goes for ANY subject in ANY field.  Not all IT staff have the budget for a CIISP certification and similiar ones.  True that is the gold standard but not many exist and the skill gap needs to be filled.  i would encourage filling the gap and providing resources for knowing candidates to GET a degee relatively quickly and efficiently.  BTW - when I was a self-employed consultant some 5 years ago, knew nothing about malware and practical measures on backup saved a 501C3 museum from Cryptolocker.  I was doing it RIGHT WITHOUT KNOWING IT.  Restoration 98% within 3 hours.  Not bad.  So experience counts.  Read that Baltimore?  

Full disclosure - on September 11 my data center crashed 103 floors in the south tower and I got out of 101 of them by walking.  Relatively familiar by default with disaster recovery and business continuity planning. 
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).