Some 209,000 cybersecurity jobs remain unfulfilled. And according to a January PBS report, job postings for the profession are up 74 percent. These are shocking numbers that quantify one of the nation’s primary cybersecurity issues.
Why can’t we just turn on the cybersecurity-training factory and turn out 200,000 cybersecurity professionals quickly to meet the demand? The surprising answer is that too many senior-level executives — even ones who work in the cybersecurity field — don’t have a basic understanding of what to look for in cybersecurity talent. Compounding the problem is that most professional education paths, in colleges and universities, can’t provide the experience-based training required.
Skill and experience trump education
Like every security team in business today, we are hiring. Each week, we receive 50-60 resumes of prospects wanting to join the FireHost security team. My observation after going through the security recruiting process for the last three years (in my post-military career) is that college and university educations do not prepare students for success in cybersecurity.
In fact, when we do find a good prospect, I don’t even notice if they have a college degree. It is not a factor in selection and salary discussions either. Cybersecurity is a skills-based profession that is always rooted in experience and repetition. Both the universities and technical schools struggle to provide live environments that can replicate complex security environments, even for small- to medium-sized businesses.
If this is the case, then where do you hunt for future cybersecurity specialists?
Map talent to disciplines
The easy answer is to hire prospects away from companies where they are currently — and successfully — doing the job. However, this strategy has driven up the cost of skilled labor to the point that it is no longer an option for most security teams. Instead, many companies are opting to discover and train their own talent.
IT services involve three major functions: host and application administration, computer programming, and network engineering. All three of these functions can directly pivot to a cybersecurity discipline: host forensics, malware analysis, and network forensics, respectively.
The critical data that a security analyst needs to understand in order to detect threat activity relates to these three IT and security functions. When I screen resumes for security prospects, I look for experience in one or more of these fields of work, either as an IT specialist or security specialist.
In fact, if I have to choose between a university-educated cybersecurity graduate or an IT specialist who is strong in sysadmin, networking or programming, I will pick the IT specialist every time. For me, the ideal prospect is often someone who ran a small IT shop where they had to do everything in all three functions. A model cybersecurity pro must understand how the IT infrastructure works before he or she can understand how to protect against attacks and find threat activity.
The value of certifications
Are certifications a good judge of talent? Yes and no. When you can align certifications with relevant job experience related to that certification, then, yes, certifications are very important. However, I have found an anomaly with security prospects who possess many certifications but no track record of doing anything related to those certifications. In these cases, certifications are not a good judge of talent.
My trick is to look at an applicant’s experience, then see what level of certifications they have been able to achieve. Thus, I use certifications as a validation that the prospects not only have experience, but also have passed a benchmark to demonstrate their skills and abilities. A red flag may rise when someone has many certifications that don’t inherently go together. We call these individuals “badge finders.”
Integrate cybersecurity into undergrad CompSci
So, what are possible solutions? The first is actually quite provocative: eliminate cybersecurity undergraduate programs. In my opinion, security should be integrated into all computer science and engineering undergraduate programs. As we train our future sys admins, programmers and network engineers, we should teach the principles of cybersecurity in every aspect of their education. This approach will provide future cybersecurity warriors with a deep knowledge in how IT infrastructure works before they decide to specialize.
This change also will have the inverse effect of ensuring that our IT service providers are better grounded in security. This gives folks like me, who are looking for entry-level security professionals, a broader group to assess. When needed, we may then leverage graduate and doctorate programs for specialization in security.
Leverage technical trade schools
My second solution is not nearly as proactive. We are critically short on security personnel with hands-on technical skills in managing security infrastructure. This is a skill that does not take four years to learn and does not require a live environment to become proficient. This includes managing devices in a security stack (e.g., firewall, IPS/IDS, WAF, etc.). These skills are great opportunities for vendor-managed training programs and technical schools.
These programs exist today, but we are simply not getting enough people into appropriate courses. Maybe government grants could drive more students to look for this opportunity. It would also be advantageous for vendors to work directly with technical schools to provide equipment and training packages that facilitate more cybersecurity wrench-turners for gear they hope to sell.
My last suggestion is core to classic professional training models that date back to the middle ages: establish a master-apprentice framework for cybersecurity. I set up this model when I wanted to accelerate the progression of forensic college hires in an incident response practice. We really underestimated the success we would achieve in this mentoring program. In fact, our forensics consultants were doing advanced work within 6-8 months.
For now, placing security training at the core of all computer science and IT tracks is the first step toward preparing the next generation of security professionals to properly defend valuable assets, information, and digital identities. But it’s only a start. Let’s continue the discussion of next steps in the comments.