Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/9/2015
10:30 AM
Michelle Drolet
Michelle Drolet
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Bridging the Cybersecurity Skills Gap: 3 Big Steps

The stakes are high. Establishing clear pathways into the industry, standardizing jobs, and assessing skills will require industry-wide consensus and earnest collaboration.

There is a dangerous dearth of qualified Information Security talent in industry today. In the face of mounting threats and an unprecedented number of data breaches, organizations and governments simply aren't coping. Cybercrime is growing rapidly as sophisticated, targeted attacks flood in from diverse sources.

The exploitation of vulnerabilities has a very real economic toll that's often underestimated. Economic growth is restricted and job losses are common. For example, a study by the Center for Strategic and International Studies put the loss to business from cybercrime between $375 billion and $575 billion in 2013 alone. And yet, the industry is singularly unprepared to meet the challenge:

Clearly it's vital that something be done to redress the balance and make a career in cybersecurity more desirable. Here are three suggestions:

Clearly define job titles
Finding the right security expertise to enforce internal policies is not easy and the waters are muddied by a lack of standardized career definitions. Job titles differ from country to country and even from organization to organization. This makes it hard for employers to find the right talent, but it's also off-putting for graduating students who want to step onto the first rung of a career ladder.

Standardized job titles would help create a framework where skills sets and expectations can be clearly delineated. It would make it easier for prospective employees to target the skills and experience they really need. Common definitions would also boost the international flow of talent and foster cooperation between peers.

Build a career framework
The Information Systems Security Association (ISSA) has identified a career framework definition in the shape of the Cybersecurity Career Lifecycle (CSCL), but it can't be achieved in isolation. The industry must participate and help shape this framework to deliver clear career ladders for incomers to climb.

It’s important to note that this framework doesn’t necessarily map a direct path to a job as a CISO. There are a variety of rewarding careers in security, and an executive position will not be desirable or suitable for everyone. However, setting out clear career maps with room for growth and advancement in different directions is key to attracting more talent into the cybersecurity sphere. It's a fast-paced, challenging industry and there's no reason it shouldn't attract a more diverse talent base. But they need to be able to see a way in.

It's also important for organizations to be able to shop around for the skills they need and hire with confidence, which is also a strong argument for the establishment of accepted standards for assessments of security professionals to determine career levels and skills. Accreditation in specific areas needn't be confined to security specialists, either. Opening up security training for employees in other departments working with these systems on a daily basis also makes a great deal of sense.

Integrate InfoSec knowledge with IT infrastructure
Throwing money at security software is not the answer. To be effective, information security must be properly integrated with your infrastructure and configured correctly. So, to get a real return on investment you need people with security expertise to leverage that software and extract real value from it.

Think of it this way: a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization.

Establishing clear pathways into the industry, standardizing jobs, and assessing skills requires industry-wide consensus and earnest collaboration. The stakes are high. No one is predicting a decline in cyber-attacks. The problem is only going to grow. It's time we worked together to solve it.

[Read about How The Skills Shortage Is Killing Defense in Depth]

Michelle Drolet is founder of Towerwall, a full service information security provider with over 20 years of experience exclusively delivering security and risk management services to biotech, financial services, and education. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ClassC
50%
50%
ClassC,
User Rank: Apprentice
2/11/2015 | 4:41:17 PM
Re: Bridging the Cybersecurity Skills Gap
"... They had actionable data, but it appears that their threat intelligence and response matrix was lacking, and relative to that incident, they got zero value from that money they had spent."


@GonzSTL       That is a great way of describing what really is becoming quite confusing with all the recent breeches.  With so much noise around the situation, it difficult to remember what is important to consider and what was lacking.

Threat Intelligence and their response matrix surly came up short and I bet this is more common than most companies would ever admit.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/10/2015 | 12:28:45 PM
Re: Bridging the Cybersecurity Skills Gap
@InfoSec_Candy: Those were Michelle's words, not mine. However, I do agree that the shortage could be the greatest vulnerability in any organization.
InfoSec_Candy
100%
0%
InfoSec_Candy,
User Rank: Strategist
2/10/2015 | 11:36:24 AM
Re: Bridging the Cybersecurity Skills Gap
Great points GonzSTL!!!   "a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization."   I believe it IS the greatest threat!!!
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
2/9/2015 | 12:23:10 PM
Bridging the Cybersecurity Skills Gap
"Throwing money at security software is not the answer. To be effective, information security must be properly integrated with your infrastructure and configured correctly. So, to get a real return on investment you need people with security expertise to leverage that software and extract real value from it.

Think of it this way: a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization."

One word comes to mind - Bingo! The word is that Target spent many millions of dollars in IT security before they were breached. That is a lot of money to throw at security! However, one of their failures was in their Incident Response strategy. They had actionable data, but it appears that their threat intelligence and response matrix was lacking, and relative to that incident, they got zero value from that money they had spent.
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Dueling Free Throws A riff on the song Dueling Banjos
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
CVE-2019-18853
PUBLISHED: 2019-11-11
ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.
CVE-2019-18854
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.
CVE-2019-18855
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
CVE-2019-18856
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.