Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/9/2015
10:30 AM
Michelle Drolet
Michelle Drolet
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Bridging the Cybersecurity Skills Gap: 3 Big Steps

The stakes are high. Establishing clear pathways into the industry, standardizing jobs, and assessing skills will require industry-wide consensus and earnest collaboration.

There is a dangerous dearth of qualified Information Security talent in industry today. In the face of mounting threats and an unprecedented number of data breaches, organizations and governments simply aren't coping. Cybercrime is growing rapidly as sophisticated, targeted attacks flood in from diverse sources.

The exploitation of vulnerabilities has a very real economic toll that's often underestimated. Economic growth is restricted and job losses are common. For example, a study by the Center for Strategic and International Studies put the loss to business from cybercrime between $375 billion and $575 billion in 2013 alone. And yet, the industry is singularly unprepared to meet the challenge:

Clearly it's vital that something be done to redress the balance and make a career in cybersecurity more desirable. Here are three suggestions:

Clearly define job titles
Finding the right security expertise to enforce internal policies is not easy and the waters are muddied by a lack of standardized career definitions. Job titles differ from country to country and even from organization to organization. This makes it hard for employers to find the right talent, but it's also off-putting for graduating students who want to step onto the first rung of a career ladder.

Standardized job titles would help create a framework where skills sets and expectations can be clearly delineated. It would make it easier for prospective employees to target the skills and experience they really need. Common definitions would also boost the international flow of talent and foster cooperation between peers.

Build a career framework
The Information Systems Security Association (ISSA) has identified a career framework definition in the shape of the Cybersecurity Career Lifecycle (CSCL), but it can't be achieved in isolation. The industry must participate and help shape this framework to deliver clear career ladders for incomers to climb.

It’s important to note that this framework doesn’t necessarily map a direct path to a job as a CISO. There are a variety of rewarding careers in security, and an executive position will not be desirable or suitable for everyone. However, setting out clear career maps with room for growth and advancement in different directions is key to attracting more talent into the cybersecurity sphere. It's a fast-paced, challenging industry and there's no reason it shouldn't attract a more diverse talent base. But they need to be able to see a way in.

It's also important for organizations to be able to shop around for the skills they need and hire with confidence, which is also a strong argument for the establishment of accepted standards for assessments of security professionals to determine career levels and skills. Accreditation in specific areas needn't be confined to security specialists, either. Opening up security training for employees in other departments working with these systems on a daily basis also makes a great deal of sense.

Integrate InfoSec knowledge with IT infrastructure
Throwing money at security software is not the answer. To be effective, information security must be properly integrated with your infrastructure and configured correctly. So, to get a real return on investment you need people with security expertise to leverage that software and extract real value from it.

Think of it this way: a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization.

Establishing clear pathways into the industry, standardizing jobs, and assessing skills requires industry-wide consensus and earnest collaboration. The stakes are high. No one is predicting a decline in cyber-attacks. The problem is only going to grow. It's time we worked together to solve it.

[Read about How The Skills Shortage Is Killing Defense in Depth]

Michelle Drolet is founder of Towerwall, a full service information security provider with over 20 years of experience exclusively delivering security and risk management services to biotech, financial services, and education. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ClassC
50%
50%
ClassC,
User Rank: Apprentice
2/11/2015 | 4:41:17 PM
Re: Bridging the Cybersecurity Skills Gap
"... They had actionable data, but it appears that their threat intelligence and response matrix was lacking, and relative to that incident, they got zero value from that money they had spent."


@GonzSTL       That is a great way of describing what really is becoming quite confusing with all the recent breeches.  With so much noise around the situation, it difficult to remember what is important to consider and what was lacking.

Threat Intelligence and their response matrix surly came up short and I bet this is more common than most companies would ever admit.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/10/2015 | 12:28:45 PM
Re: Bridging the Cybersecurity Skills Gap
@InfoSec_Candy: Those were Michelle's words, not mine. However, I do agree that the shortage could be the greatest vulnerability in any organization.
InfoSec_Candy
100%
0%
InfoSec_Candy,
User Rank: Strategist
2/10/2015 | 11:36:24 AM
Re: Bridging the Cybersecurity Skills Gap
Great points GonzSTL!!!   "a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization."   I believe it IS the greatest threat!!!
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
2/9/2015 | 12:23:10 PM
Bridging the Cybersecurity Skills Gap
"Throwing money at security software is not the answer. To be effective, information security must be properly integrated with your infrastructure and configured correctly. So, to get a real return on investment you need people with security expertise to leverage that software and extract real value from it.

Think of it this way: a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization."

One word comes to mind - Bingo! The word is that Target spent many millions of dollars in IT security before they were breached. That is a lot of money to throw at security! However, one of their failures was in their Incident Response strategy. They had actionable data, but it appears that their threat intelligence and response matrix was lacking, and relative to that incident, they got zero value from that money they had spent.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12875
PUBLISHED: 2019-06-18
Alpine Linux abuild through 3.4.0 allows an unprivileged member of the abuild group to add an untrusted package via a --keys-dir option that causes acceptance of an untrusted signing key.
CVE-2017-8335
PUBLISHED: 2019-06-18
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of setting name for wireless network. These values are stored by the device in NVRAM (Non-volatile RAM). It seems that the POST parameters passed in this...
CVE-2017-8336
PUBLISHED: 2019-06-18
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new routes to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that...
CVE-2019-12874
PUBLISHED: 2019-06-18
An issue was discovered in zlib_decompress_extra in modules/demux/mkv/util.cpp in VideoLAN VLC media player 3.x through 3.0.7. The Matroska demuxer, while parsing a malformed MKV file type, has a double free.
CVE-2012-6711
PUBLISHED: 2019-06-18
A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the "echo -e" built-in func...