Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
David Holmes
David Holmes
Connect Directly
E-Mail vvv

How The Skills Shortage Is Killing Defense in Depth

It used to be easy to sell specialized security gizmos but these days when a point product gets pitched to a CSO, the response is likely "looks nifty, but I don't have the staff to deploy it."

You would think that this is the perfect time to be a security vendor. Humiliating breaches lurk around every corner. Denial of service attacks grow ever larger. Bedrock platforms turn out to have (shell)shocking holes. The media love the scent of blood in the water and they keep the papers black, white, and red. It is boom times for security vendors. So what is there to complain about?

We’re going to have to change the way we sell security, that’s what.

Since 2010, security vendors have been developing ever more impressive, but specialized, security gizmos. It used to be easy to sell targeted security products because every gizmo would get air cover from the concept of defense in depth. Conceived of by the military prior to the digital age, defense in depth is the idea that more layers of defense equal a stronger security posture. For vendors, defense in depth meant it was all right if their gizmo didn’t offer wide protection because some other vendor’s gizmos would plug the holes. Forrester analyst Rick Holland called this philosophy “Expense in Depth – the multilayered approach to ensuring minimal return on investment.''

These days, when a point product gets pitched to a CSO, the response is likely to be, “Looks like a nifty gizmo, but I can’t deploy it—I just don’t have the staff.”

The IT skills shortage has become epidemic. There simply aren’t any security people available to hire. For five years now, the unemployment rate for InfoSec professionals has been less than 2% (and often 0%). The tight job market for people with security skills has had a predictable impact on wages: According to Payscale, in 2014, half of all security architects made more than $120K: that’s 50% more than the average software engineer—and a whopping 300% what a licensed nurse practitioner makes. People with security skills command more pay, leave for startups, or get poached for cushier jobs with better titles (ahem). ESG’s Jon Oltsik wrote that his #1 prediction for 2015 is “Widespread impact from the cybersecurity skills shortage.”

Normally the market fixes problems like this: rising wages in any field should attract new applicants to the business. But security doesn’t work that way. Security is harder to teach than other skills. Security is a mindset. A zeitgeist. Even a religion for some. People with the mindset are rare; like good coders and clever similes, they are hard to come by. Case in point, MasterCard is suing one of its own customers, Nike, for $5 million for poaching two of its cyber security managers.

So now what?
What should CSOs do? Without a dotcom crash, they can’t get the security people back from the startups that poached them.

Some smart CSOs are consolidating their security platforms. Partners and resellers offer packages around common platforms. The Next Generation Firewall (NGFW) vendors are collapsing network firewall and outbound web security into a single platform. IDS vendors are also integrating NGFW functionality. As Forrester Analyst John Kindervag said in his Dec. 2013 “Market Overview: Network Segmentation Gateways,” consolidating adjacent security functions into platforms like network segmentation gateways help organizations move toward what Forrester calls a ‘Zero Trust Model.’

Organizations are also starting to turn to cloud providers not just for availability but for security, as well. The cloud companies can gather security staff and then amortize that experience across hundreds of customers. Cloud architecture is relatively new, as well, since today’s clouds don’t necessarily have to take into account the ancient legacy applications that many of yesterday’s businesses are built around. This leads to a smaller threat surface for cloud platforms.

The forces pushing against defense in depth are unlikely to change in the near term. The skills shortage will continue, and cloud adoption rates will rise, which will exert pressure on IT organizations for other skillsets they lack. In 2015, the term “defense in depth” may decline in broader usage. Like the security personnel who used to practice it, defense in depth may find a new home among the clouds, where it will likely take a different name.

“Your propeller-head infosec techie that can crack packets wide open is more important than any tool you can buy,” said Ken Athanasiou, CSO of AutoNation, during a recent panel at an FBI Infragard event. “If you’ve got someone like that, make sure you keep them happy.”

But, in the meantime, for all other CSOs, “defense in depth” falls on deaf ears. Because for them, it’s all about the skills shortage.

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
1/30/2015 | 5:15:43 PM
shortage or cheapness?
Companies gladly shellout millions for executive suite personnel who often aren't paid for performance. Maybe computer security professionals are just wildly underpaid compared to the actual value they bring to a company. 
User Rank: Author
1/30/2015 | 5:24:40 PM
Re: shortage or cheapness?
You make an interesting point Thomas. Security personnel don't typically fall within a profit center (sometimes, but not usually) which makes valuation even more difficult. But in my experience, it is quite difficult to retain security people - they have been job hopping quite eagerly the last two years.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
1/30/2015 | 10:47:56 PM
The problem is NOT a skills shortage.

The problem is a glut of HR staff.

Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
1/30/2015 | 10:49:26 PM
Re: shortage or cheapness?
It's the HR department.  Look at any company that's faced a zillion reorgs in the past couple of decades.  Look at the survivors: All HR.

Bad recruiting practices.  Bad job description practices.  Bad hiring practices.  Bad firing practices.  Bad compensation practices.  Bad everything.  But they control the keys, so who's going to stop them?
User Rank: Ninja
1/31/2015 | 12:47:14 PM
Re: shortage or cheapness?
I couldn't agree with you more on this. I have seen the poor description practices proliferate throughout organizations to the point where job function is ambiguous and the employee accepts a postion under false pretenses. 

Not sure whether its a false perception of prestige that drives the poor descriptions or other factors but there would be a more efficient process if requirements reflected the function in a short, succinct manner.

To the point of bad hiring/firing practices, I know there are 3rd party companies now that are training organizations in best practics but to what extent these practices stick, I know not.
User Rank: Apprentice
1/31/2015 | 8:40:43 PM
Wages do not indicate a shortage of workers.
"The IT skills shortage has become epidemic."

This is not reflected in the wages paid.  Wages have stagnated in the IT industry for over 10 years.  Keep rasing wages and when they are sufficient, you will attract the talent needed.

Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
1/31/2015 | 9:32:43 PM
Re: shortage or cheapness?
Alas, in companies with bad culture, outside consultants are paid for one of two purposes, generally -- to agree with and endorse everything the company is doing, and/or to be a scapegoat for everything that goes wrong.
User Rank: Apprentice
2/3/2015 | 10:50:41 AM
There is no skills gap, theres a priorities gap...
As it seems that every security article is written by a vendor, and not an enterprise practitioner, I'd like to lend a contrarian response.

Was Target or Home Depot (or arguably/probably) Sony breached because of super-advanced, nation-state "so good it must have come straight out of a Spy novel" kind of attack?.. No, they were breached because they had a poor-non defensive network infrastructure, and were not leveraging basic tools (of which they probably have many) to mitigate information risk.

As an industry, information security managers have done an overall bad job of creating actionable information for IT/Business leadership surrounding security practice.  Because of this, it is viewed that if they aren't spending money to implement *insert top right magic quadrant performer for CYBER APT *BUZZWORD* *BUZZWORD* then they aren't effectively mitigating risk.

May I ask, how many new tools does it take, aside from a solid security team collaboration with infrastructure partners, to SEGMENT YOUR NETWORK?  How many advanced vendor tools does it take to deploy the single, greatest wintel endpoint protection tool out there, Microsoft EMET (well... it's advanced, but its free)?  How many new, advanced tools does it take to tune your existing proxies or network controls to only execute javascript from trusted sources?

Maybe it's just because I took SANS 504 this one time... But a "Lessons Learned" session should usually follow any significant security incident.  "Well guys, looks like we should have paid <vendor, professional services> to do the thinking for us a little more" probably wasn't what came out of it. 

What was it?  Information Security leaders and teams were not prepared to do the "non-sexy" part of information security, such as implementing the simple—but most effective—controls, as listed above.  Granted, log aggregation and correlation is a big part of information security, and having business requirements to simply state 'what do we want to do with this tool' are often never asked before implementing a SIEM or log aggregation solution (which should have been capturing network/firewall logs showing encrypted traffic leaving the network, and tuned to find the anomalies)... proxies renegotiating SSL at the boundary anyone???

Respectfully, I don't let vendors drive my information security strategy, so I'll drop some IS management PRO-TIPS.  First, build relationships with your IT and business stakeholders.  Second, 'know thyself', understand your IT footprint through solid infrastructure and application management and inventory.  Third (and it's a big one), based on business goals and organizational risk tolerance, create a comprehensive set of business requirements surrounding relevant risks to the organization (determining what actual 'threats' are based on step 2 of this exercise), and assess the people, processes, and projects/resources needed to accomplish such goals.  New technology only fills the DELTA, it doesn't replace risk-centric management of your company's architecture.

Summary, "the APT" is irrelevant as long as organizations are getting crushed by basic attacks caused by a lapse in management of existing people, processes, and technology.
User Rank: Ninja
2/3/2015 | 2:03:52 PM
Re: There is no skills gap, theres a priorities gap...
"Since 2010, security vendors have been developing ever more impressive, but specialized, security gizmos."... that gizmo will do almost everything under the sun, but will do NOTHING well enough to justify its cost. So instead of saying, "Looks like a nifty gizmo, but I can't deploy it—I just don't have the staff.", maybe that CSO should be asking him\herself, is this nifty gizmo really going to address the problem area(s) where where I need it? Maybe the problem is (I, you, we) have TOO MANY nifty gizmo's that sounded good and looked good in that sandboxed demo, not enough product research to make sure you were getting what you needed and not what somebody was selling you.

I also agree with what has been said about job descriptions and hiring. That should demand to be part of whatever that process is for his\her company, let them know that you're not going to accept whatever personnel are given to you based on a job description you did not approve or resumes that you did not approve for interview, HR's job is to find the talent based on YOUR requirements not theirs.

Even this article "David Holmes is an evangelist for F5 Networks' security solutions...", sorry Mr. Holmes I'm not calling you out or picking on you or trying to be rude or anything but, I'm not exactly sure what an evangelist for F5 Networks' security solutions is or does, to me it sounds like salesman, and if allowed a salesman will sale you exactly what you do not need, but for a small bump in price you can get the plugin for that at the next product update, I'm sorry if you're not a salesman.

I do not see a "Skills Shortage" anywhere killing anything, what I see are;

a) (some) vendors who don't even know their own products
b) Security departments who've allowed vendors in the door based solely on "The Magic Quadrant" and not what is required to address a problem
c) As someone else alluded to, bad or no relationship with the IT Department
d) CSO's with poor track records in evaluating, training and keeping good personell

But when you put it all together, even though every comment I've seen has it right, I think the problem as well as any solutions really does start with us, the security professional, we need to stop making excuses for "why"... understand and admit our own flaws and take responsibility where required and be strong and hold your ground when needed.


Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
2/3/2015 | 4:01:13 PM
Re: There is no skills gap, theres a priorities gap...> taking a left turn here
@ODA155,-- If, as you say, "we need to stop making excuses for "why"... understand and admit our own flaws" what would you say is the biggest flaw in your security world?
Page 1 / 2   >   >>
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
PUBLISHED: 2020-04-05
PRTG Network Monitor before allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the &lt;KEY&gt;MYKEY&lt;/KEY&gt; substring.