Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

2/28/2017
02:00 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Security Pros Can Bridge The Skills Shortage

By paying it forward, we can help address the industry's exploding need for talent.

If you feel like you’re overworked and that your security department is short-staffed, you’re probably not imagining it. Two reports were released recently, with less-than-encouraging statistics about the growing security skills shortage. Is there anything we can do to stem the tide?

ISACA’s Current Trends in Workforce Development sheds light on the problems companies are having staffing open positions. More than a quarter of enterprises find they are unable to hire the people they need, and those that are able to fill positions report that it takes more than six months to find the right applicant for the job. Almost half of those surveyed said they got fewer than ten applicants for each job listing and 64% of respondents said that not even half of those who applied were qualified for the position.

This means that there is a huge unmet need, which is causing a serious problem for businesses. In a recent study by Dimensional Research and Tripwire, only ten percent of organizations have the skills to address the full range of the most prevalent threats. Even when singling out ransomware - the threat that most organizations reported to be their biggest concern -  only 44% of respondents said they had the skills in house needed to handle the problem.

The obvious answer to the skills shortfall is to increase both the quantity and quality of applicants. But with few schools offering computer science at the K-12 level, many students are unaware of information security as a career option. Those who start computer science studies at the college level often feel discouraged, as the learning curve is steep, especially compared to peers who have had earlier learning opportunities.

Still, there are a lot of options out there where we as security professionals can help bridge the gap.

Pay It Forward: Volunteer!
While encouraging overworked people to volunteer may seem counterproductive, getting kids interested in computers and security can be a fantastic antidote to burnout. There are a lot of national groups such as TEALS, Girls Who Code, Women’s Society of Cyberjutsu, and CoderDojo as well as local STEM events, hackathons and bootcamps that are in need of expert support.

Show Them the Money: Scholarships
The cost of formal education is growing at a rapid pace, which keeps interested people from getting the skills they need to join this industry. The good news is that there are a lot of scholarships that have been set up to encourage people to pursue an education in security. Several sites, such as (ISC)², CyberWatchWest and WiCYS maintain lists of resources for students seeking scholarships and internships. Security companies' and schools’ websites also may also offer information on additional financial resources. The second annual “ESET Women in Cybersecurity Scholarship,” will be taking applications through March 15th.

Uncover Untapped Resources: Diversity
A lot has been said about the lack of diversity in the security industry. While this is problematic, it’s also represents a huge opportunity, as it points to an untapped resource for attracting new talent. National groups like Code2040 and Black Girls Code are helping to cultivate the next generation of developers.

The ISACA report highlights another source of potential new hires that the industry may be overlooking: people who have neither formal education nor professional certifications in security. If someone has other important skills for the job at hand and technical aptitude or interest in security, but lacks more traditional qualifications, they may be automatically weeded out.

Some of the brightest people that I’ve known in the security industry came to it as a departure from a very different career path. People seem to have forgotten that not all security positions require a graduate degree in computer science, and that the necessary experience can be gained on the job. By making significant changes now, we can avoid the projected shortfall of 1.8 million professionals in 2022.

Related Content:

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
MozzieMan
50%
50%
MozzieMan,
User Rank: Apprentice
3/1/2017 | 9:39:26 AM
Security Pros
Many businesses are not sure what they need; pentester, ISSO, CISO, etc, etc.  Do they want someone who can write policy?  If so, that pentester might not be great at formal writing.  Businesses should invest on entry level peoples giving them the basics and from there weed out who is more of a technical/policy writer, who is the active defense cyber guru and build from the ground up. 

Many of these jobs do require computer science/programming skills but the Universities are just now coming into that but from what I can tell it's still very much cyber security/information assurance vs coding.

Only your true programmers will shell out 2500.00 or more for an ISACA cert.  I've been an ISSO for around fifteen years now and working on a Masters in a similar field and do not wish to do pentesting but can do physical security/ end user and sys admin cyber training, systems security as far as defense but it seems many businesses are wanting the all in one.  I'm sure there are a few out there but they command a much higher salary than I'm seeing advertised. 

Why not have the CISO and then branch out from there, for your policy, defense, pentest, ISSO.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...