Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:30 PM
James Hadley
James Hadley
Connect Directly
E-Mail vvv

To Narrow the Cyber Skills Gap with Attackers, Cut the Red Tape

Attackers are getting further ahead, and entrenched corporate rules shoulder much of the blame.

In recent years, the cyber skills gap between attackers and defenders has widened. Corporate security teams — their hands tied by budget constraints, box-ticking exercises, internal politics, and outdated training — are struggling to catch up. More than half of organizations now consider the shortage of adequately trained cybersecurity professionals to be a major problem.

Attackers, on the other hand, have no such problem. Unfettered by corporate issues, they operate in the type of purist environment in which technical talent thrives. They "learn by doing" — continually coming up with creative ideas to solve a problem, rewarding curiosity and perseverance, and encouraging innovation. Because of this, they remain steadfastly in the lead. While many companies talk about a need to address the cyber skills gap, few are challenging existing norms. The security sector is good at tearing up rule books, so it's about time this applied to skills development.

Deeply embedded legacy process lies at the heart of an organization's cyber skills gap. For example, HR teams typically are involved in the hiring of cyber talent. Not that this is wrong, but while filtering candidates, an absence of specialized technical knowledge is often compensated for by an overreliance on formal accreditations and certifications.

Although certifications do have relevance and carry weight, they can also exclude genuine talent. They rely on the person having the time and resources to undertake them in the first place, discounting those who don't have either or even possess the mindset to do structured courses in the first place. As many in the industry know, raw, unstructured talent often is the best.

To this point, skills gained through experience and creative thinking bring immeasurable depth to a security team. Much classroom-based training neglects this, using passive listen-and-learn methods that don't always appeal to the personality types of high-performing cybersecurity talent. The most effective cybersecurity professionals want to learn on the job. Naturally inquisitive, they prefer to take things apart and find out how they operate. This is a self-learned skill and it is deeply personal, not something that can be dictated.

An organization's internal people structures also stop the right skills getting to the right place. Rigid hierarchies enforced by subtle work politics still dominate security teams, meaning those responsible for specific areas are not always the best qualified but simply people with more time in the game. This is where such teams can learn from their foes. Attackers put more stock in the idea of a meritocracy. If someone is a better malware writer, they write malware — letting the expert social engineer worry about hooking people with a targeted phish.  

Speed of response — the main issue that dominates any cybersecurity countermeasure — is also the single biggest problem for any organization when it comes to closing the skills gap. If security skills are ever expected to keep up with those of an attacker, they must be updated as regularly and often as attacks change. This is not happening in the majority of cases. Malware morphs continuously, domains are generated randomly, and Web app attacks are dynamic, yet training happens the third Thursday in the last month of the quarter.

This factor is widening the gap between attack and defense more than any other factor. Current training approaches mean that the skills learned are often out of date by the time the person leaves the classroom. Cyber skills training needs to be continuous to be relevant. You wouldn't expect your technical defenses to operate on outdated threat intel, so why your human ones?

Here Are Some Steps to Cut Through the Red Tape

  • Look for demonstrable skills and experience rather than just formal qualifications.
  • Include a skills-based test as part of the recruitment process.
  • Ensure a cybersecurity professional — third party if necessary — is involved throughout the entire process.
  • Gamify training — story-driven wargames will allow teams and individuals to hone their skills in "real life" situations.
  • Base any training on real-time threat intelligence to assure greater preparedness.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.


James Hadley founded Immersive Labs in January 2017 after delivering GCHQ's cyber summer school. It was during these sessions he realized that passive, classroom-based learning doesn't suit the people, or pace, of cybersecurity. Not only did the content date quickly, its ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/22/2019 | 3:17:32 AM
The Offensive Security Model
This is one of the most re-hashed complaints in tech and for a reason.  Since the Nineties I've been working in tech and always sought out work where part of the interview process put me in front of a terminal.  Even the certifications I've obtained I leave off my resume because getting a job based off certs my last company footed the bill for means I didn't prove myself to the new employer.  Give the candidate a pile of parts and have them build a PC/server/laptop, install an OS, configure a network; break into the network.  Don't tell me what you've done, show me what you can do.

For InfoSec, just as in respected certs for Linux, the model must include partial book work and paper tests, but the majority has to be hands-on execution, proof of knowledge, or no cert.  Companies who want to obtain quality employees and keep them will adopt a similar model, including some of the recommendations in this article.  Implement an intensive hands-on interview process, "show me".  Implement a regular boot-camp with capture the flag (CTF) events to keep employees sharp; encourage gamification.

It's amazing how quickly the weak links are identified when your models become interactive - combative - and stop being passive.  If you're serious about your security and the integrity of your network, background checks and onsite hands-on proof of skill should be priority one, paper an afterthought.   
User Rank: Ninja
5/21/2019 | 3:43:39 PM
They are paper proving you passed a test.  In a sense, great but mostly not so much.  Experience in the field counts and that goes for ANY subject in ANY field.  Not all IT staff have the budget for a CIISP certification and similiar ones.  True that is the gold standard but not many exist and the skill gap needs to be filled.  i would encourage filling the gap and providing resources for knowing candidates to GET a degee relatively quickly and efficiently.  BTW - when I was a self-employed consultant some 5 years ago, knew nothing about malware and practical measures on backup saved a 501C3 museum from Cryptolocker.  I was doing it RIGHT WITHOUT KNOWING IT.  Restoration 98% within 3 hours.  Not bad.  So experience counts.  Read that Baltimore?  

Full disclosure - on September 11 my data center crashed 103 floors in the south tower and I got out of 101 of them by walking.  Relatively familiar by default with disaster recovery and business continuity planning. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.
PUBLISHED: 2020-10-30
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is ...