Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

2/28/2017
02:00 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Security Pros Can Bridge The Skills Shortage

By paying it forward, we can help address the industry's exploding need for talent.

If you feel like you’re overworked and that your security department is short-staffed, you’re probably not imagining it. Two reports were released recently, with less-than-encouraging statistics about the growing security skills shortage. Is there anything we can do to stem the tide?

ISACA’s Current Trends in Workforce Development sheds light on the problems companies are having staffing open positions. More than a quarter of enterprises find they are unable to hire the people they need, and those that are able to fill positions report that it takes more than six months to find the right applicant for the job. Almost half of those surveyed said they got fewer than ten applicants for each job listing and 64% of respondents said that not even half of those who applied were qualified for the position.

This means that there is a huge unmet need, which is causing a serious problem for businesses. In a recent study by Dimensional Research and Tripwire, only ten percent of organizations have the skills to address the full range of the most prevalent threats. Even when singling out ransomware - the threat that most organizations reported to be their biggest concern -  only 44% of respondents said they had the skills in house needed to handle the problem.

The obvious answer to the skills shortfall is to increase both the quantity and quality of applicants. But with few schools offering computer science at the K-12 level, many students are unaware of information security as a career option. Those who start computer science studies at the college level often feel discouraged, as the learning curve is steep, especially compared to peers who have had earlier learning opportunities.

Still, there are a lot of options out there where we as security professionals can help bridge the gap.

Pay It Forward: Volunteer!
While encouraging overworked people to volunteer may seem counterproductive, getting kids interested in computers and security can be a fantastic antidote to burnout. There are a lot of national groups such as TEALS, Girls Who Code, Women’s Society of Cyberjutsu, and CoderDojo as well as local STEM events, hackathons and bootcamps that are in need of expert support.

Show Them the Money: Scholarships
The cost of formal education is growing at a rapid pace, which keeps interested people from getting the skills they need to join this industry. The good news is that there are a lot of scholarships that have been set up to encourage people to pursue an education in security. Several sites, such as (ISC)², CyberWatchWest and WiCYS maintain lists of resources for students seeking scholarships and internships. Security companies' and schools’ websites also may also offer information on additional financial resources. The second annual “ESET Women in Cybersecurity Scholarship,” will be taking applications through March 15th.

Uncover Untapped Resources: Diversity
A lot has been said about the lack of diversity in the security industry. While this is problematic, it’s also represents a huge opportunity, as it points to an untapped resource for attracting new talent. National groups like Code2040 and Black Girls Code are helping to cultivate the next generation of developers.

The ISACA report highlights another source of potential new hires that the industry may be overlooking: people who have neither formal education nor professional certifications in security. If someone has other important skills for the job at hand and technical aptitude or interest in security, but lacks more traditional qualifications, they may be automatically weeded out.

Some of the brightest people that I’ve known in the security industry came to it as a departure from a very different career path. People seem to have forgotten that not all security positions require a graduate degree in computer science, and that the necessary experience can be gained on the job. By making significant changes now, we can avoid the projected shortfall of 1.8 million professionals in 2022.

Related Content:

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MozzieMan
50%
50%
MozzieMan,
User Rank: Apprentice
3/1/2017 | 9:39:26 AM
Security Pros
Many businesses are not sure what they need; pentester, ISSO, CISO, etc, etc.  Do they want someone who can write policy?  If so, that pentester might not be great at formal writing.  Businesses should invest on entry level peoples giving them the basics and from there weed out who is more of a technical/policy writer, who is the active defense cyber guru and build from the ground up. 

Many of these jobs do require computer science/programming skills but the Universities are just now coming into that but from what I can tell it's still very much cyber security/information assurance vs coding.

Only your true programmers will shell out 2500.00 or more for an ISACA cert.  I've been an ISSO for around fifteen years now and working on a Masters in a similar field and do not wish to do pentesting but can do physical security/ end user and sys admin cyber training, systems security as far as defense but it seems many businesses are wanting the all in one.  I'm sure there are a few out there but they command a much higher salary than I'm seeing advertised. 

Why not have the CISO and then branch out from there, for your policy, defense, pentest, ISSO.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16994
PUBLISHED: 2020-02-18
An issue was discovered on PHOENIX CONTACT AXL F BK PN <=1.0.4, AXL F BK ETH <= 1.12, and AXL F BK ETH XC <= 1.11 devices. Incorrect handling of a request with non-standard symbols allows remote attackers to initiate a complete lock up of the bus coupler. Authentication of the request is no...
CVE-2020-7796
PUBLISHED: 2020-02-18
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
CVE-2020-8633
PUBLISHED: 2020-02-18
An issue was discovered in Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7. When grantors revoked a shared calendar in Outlook, the calendar stayed mounted and accessible.
CVE-2020-9268
PUBLISHED: 2020-02-18
SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, as demonstrated by the projets.php?order=nom_createur&by= substring.
CVE-2020-9269
PUBLISHED: 2020-02-18
SOPlanning 1.45 is vulnerable to authenticated SQL Injection that leads to command execution via the users parameter, as demonstrated by export_ical.php.