Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/9/2015
10:30 AM
Michelle Drolet
Michelle Drolet
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Bridging the Cybersecurity Skills Gap: 3 Big Steps

The stakes are high. Establishing clear pathways into the industry, standardizing jobs, and assessing skills will require industry-wide consensus and earnest collaboration.

There is a dangerous dearth of qualified Information Security talent in industry today. In the face of mounting threats and an unprecedented number of data breaches, organizations and governments simply aren't coping. Cybercrime is growing rapidly as sophisticated, targeted attacks flood in from diverse sources.

The exploitation of vulnerabilities has a very real economic toll that's often underestimated. Economic growth is restricted and job losses are common. For example, a study by the Center for Strategic and International Studies put the loss to business from cybercrime between $375 billion and $575 billion in 2013 alone. And yet, the industry is singularly unprepared to meet the challenge:

Clearly it's vital that something be done to redress the balance and make a career in cybersecurity more desirable. Here are three suggestions:

Clearly define job titles
Finding the right security expertise to enforce internal policies is not easy and the waters are muddied by a lack of standardized career definitions. Job titles differ from country to country and even from organization to organization. This makes it hard for employers to find the right talent, but it's also off-putting for graduating students who want to step onto the first rung of a career ladder.

Standardized job titles would help create a framework where skills sets and expectations can be clearly delineated. It would make it easier for prospective employees to target the skills and experience they really need. Common definitions would also boost the international flow of talent and foster cooperation between peers.

Build a career framework
The Information Systems Security Association (ISSA) has identified a career framework definition in the shape of the Cybersecurity Career Lifecycle (CSCL), but it can't be achieved in isolation. The industry must participate and help shape this framework to deliver clear career ladders for incomers to climb.

It’s important to note that this framework doesn’t necessarily map a direct path to a job as a CISO. There are a variety of rewarding careers in security, and an executive position will not be desirable or suitable for everyone. However, setting out clear career maps with room for growth and advancement in different directions is key to attracting more talent into the cybersecurity sphere. It's a fast-paced, challenging industry and there's no reason it shouldn't attract a more diverse talent base. But they need to be able to see a way in.

It's also important for organizations to be able to shop around for the skills they need and hire with confidence, which is also a strong argument for the establishment of accepted standards for assessments of security professionals to determine career levels and skills. Accreditation in specific areas needn't be confined to security specialists, either. Opening up security training for employees in other departments working with these systems on a daily basis also makes a great deal of sense.

Integrate InfoSec knowledge with IT infrastructure
Throwing money at security software is not the answer. To be effective, information security must be properly integrated with your infrastructure and configured correctly. So, to get a real return on investment you need people with security expertise to leverage that software and extract real value from it.

Think of it this way: a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization.

Establishing clear pathways into the industry, standardizing jobs, and assessing skills requires industry-wide consensus and earnest collaboration. The stakes are high. No one is predicting a decline in cyber-attacks. The problem is only going to grow. It's time we worked together to solve it.

[Read about How The Skills Shortage Is Killing Defense in Depth]

Michelle Drolet is founder of Towerwall, a full service information security provider with over 20 years of experience exclusively delivering security and risk management services to biotech, financial services, and education. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ClassC
50%
50%
ClassC,
User Rank: Apprentice
2/11/2015 | 4:41:17 PM
Re: Bridging the Cybersecurity Skills Gap
"... They had actionable data, but it appears that their threat intelligence and response matrix was lacking, and relative to that incident, they got zero value from that money they had spent."


@GonzSTL       That is a great way of describing what really is becoming quite confusing with all the recent breeches.  With so much noise around the situation, it difficult to remember what is important to consider and what was lacking.

Threat Intelligence and their response matrix surly came up short and I bet this is more common than most companies would ever admit.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/10/2015 | 12:28:45 PM
Re: Bridging the Cybersecurity Skills Gap
@InfoSec_Candy: Those were Michelle's words, not mine. However, I do agree that the shortage could be the greatest vulnerability in any organization.
InfoSec_Candy
100%
0%
InfoSec_Candy,
User Rank: Strategist
2/10/2015 | 11:36:24 AM
Re: Bridging the Cybersecurity Skills Gap
Great points GonzSTL!!!   "a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization."   I believe it IS the greatest threat!!!
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
2/9/2015 | 12:23:10 PM
Bridging the Cybersecurity Skills Gap
"Throwing money at security software is not the answer. To be effective, information security must be properly integrated with your infrastructure and configured correctly. So, to get a real return on investment you need people with security expertise to leverage that software and extract real value from it.

Think of it this way: a shortfall in knowledge and skills could actually be the greatest vulnerability in your organization."

One word comes to mind - Bingo! The word is that Target spent many millions of dollars in IT security before they were breached. That is a lot of money to throw at security! However, one of their failures was in their Incident Response strategy. They had actionable data, but it appears that their threat intelligence and response matrix was lacking, and relative to that incident, they got zero value from that money they had spent.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
CVE-2020-36318
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
CVE-2021-28875
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
CVE-2021-28876
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...