Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/9/2020
02:00 PM
Nick Tausek
Nick Tausek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

No STEM, No Problem: How to Close the Security Workforce Gap

Those who work well with others, learn quickly, and possess a proactive mindset toward the work can make great employees, even if their backgrounds aren't rooted in cybersecurity.

The shortage of skilled information security workers persists — and continues to grow — for the simple reason that demand continues to exceed supply. But organizations will have a greater supply of talent than they realize if they can change their approach to uncovering it.

The search for cybersecurity professionals traditionally begins and ends by looking for candidates with backgrounds in science, technology, engineering, and mathematics (STEM). But security operations centers (SOCs) and others looking to fill the infosec skills gap could broaden their search by looking for people with analytical, inquisitive minds and other talents that make for a good security analyst or other IT professional. They may well find the talent pool runs deeper than an HR-driven checklist can reveal.

Outside the Academic Envelope
The most recent annual Cybersecurity Workforce Study by (ISC)2 found a shortage of 2.8 million cybersecurity professionals around the world, with about 500,000 in the US alone. To meet the demand, the cyber workforce needs to grow globally by 145% and in the US by 62%, the report found. This is particularly concerning as cyberthreats continue to grow in number, variety, and severity.

Retention is also an issue. Using SOC analysts as an example, entry-level workers in an organization typically come in at Tier 1, with their main responsibilities centered around responding to alerts, checking logs, monitoring user activity and network events, and detecting attacks. Given that the average tenure of a SOC analyst is one to three years, many analysts only experience Tier 1 work in the industry as a whole before leaving due to burnout — just as they are gaining real competence in the field.

Filling the gap is one part of the solution; keeping talent on board is the other.

What Makes a Good Candidate?
An analyst certainly does have to understand computers and networking, as well as how information systems can be exploited, but what makes a good analyst is more than that. The core factors are the ability to be analytical and inquisitive and to come up with creative solutions, as well as to possess research skills and proper documentation and communication skills. Other talents that also come into play include technical writing ability, which often is overlooked. But those abilities don't necessarily surface during an initial screening process.

Finding good candidates to fill cybersecurity analyst positions or other jobs is a two-way street – abilities a SOC should be looking for are the same ones candidates should be exploring. A few of those factors:

  • Certification: As opposed to classroom work, certification gives candidates the opportunity to achieve specific skills. Hiring and SOC managers often look at certifications over higher education. It's one area where skills can be presented on a resume rather than in a portfolio. Outside of the standard certifications for a certain job role, certifications that show a diverse skillset are a great way for candidates to demonstrate their breadth of knowledge and adaptability, two important factors for hiring managers.
  • Practical experience: Candidates should have an efficient, succinct way of showing what they've done in the field, such as working on open source projects, to showcase how they’re contributing to the community at large. Networking (in a social sense) also can't be overstated. It can show an ability to work with others; sometimes who you know can be a big boost, just as in any industry.
  • Scripting ability: Candidates who want to get out of the basic Tier 1 and 2 work will benefit a lot from the ability to program in languages such as Python and Ruby, which are used extensively in cybersecurity.

'Industry Outsider' Talent
Organizations need to adapt their recruiting and hiring processes to increase their chances of attracting the people who would make good analysts, regardless of whether they have extensive experience in information technology or STEM. One approach is to look at candidates' portfolios, rather than resumes, as a measure of their skills. That approach is often utilized at smaller penetration-testing companies, for example, where candidates are assessed on what they can do.

In similar fashion, practical examinations of potential analysts should focus on more than just background and experience. Other things that can be used to screen or evaluate applicants include problem-solving tests, technical writing exercises, and tests designed where the candidate has to learn a new technical skill, use the skill to solve a problem, and document the attempt. Even if the attempt fails, understanding how well and in what way the candidate learns can provide insight about whether that person has the potential to make a good analyst, rather than only looking at candidates who can analyze a pcap file with tcpdump. Yes, this approach would add a level of complexity for HR departments and require greater involvement from the security operations center in the vetting process, but higher involvement is necessary anyway to unearth good candidates.

Sticking with our analyst example from earlier, great analysts can also come from other fields, such as police work, where an experienced investigator can catch up on the technical parts of the job if they already have a mental framework for investigation and analysis, along with the mental agility to reach good conclusions on incomplete evidence.

Ultimately, the most successful people in cybersecurity understand that it's a very complex field with a lot to keep track of, from new attacks and attackers to new tactics and avenues of exploitation. Those who work well with others, learn quickly, and possess a proactive mindset toward the work can make great employees, even when they come from nontraditional backgrounds. It's a constant learning experience and can't be handled alone — it must be done as a community. This should inform our hiring choices as well.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Nick Tausek is a security research engineer at Swimlane, where he focuses on discovering, building, and presenting on different security orchestration, automation and response (SOAR) use cases to solve the biggest security operations challenges. He has extensive experience in ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...