Over the last few years, we’ve been bombarded with messages proclaiming a cybersecurity skills gap and associated statistics of positions going unfilled. For example, Cisco’s Annual Security Report estimated there were more than a million unfilled positions for security professionals world-wide. The Defense Department has said it plans to triple the number of “cyberwarriors” it employs by 2016 to 6,000 and has remarked that there is a shortage of qualified candidates. While I don’t doubt that these numbers have some sort of rational basis to them, they are likely drawn largely from extrapolation and somewhat optimistic assumptions. Such hiring projections rarely turn out to be accurate. For example, the Department of Homeland Security made such projections years ago that it still is not even close to achieving, based largely on budgetary limitations rather than a true skills gap. The Cisco estimate is probably accurate in the sense that someone scoured jobs sites and counted the number of security positions and did a little extrapolation that I assume was statistically sound. However, we don’t know a lot about those open positions, such as how long the positions have been open, whether they were funded, and how realistic was the hiring company about salary and job responsibilities.
The bottom line is that when we talk about a security skills gap, we’re not talking about a single job. Cybersecurity jobs, like most other fields, span the gamut from highly specialized and intellectually challenging positions to the more mundane and repetitive ones, with the majority falling in the latter category. Many of these positions can be filled with information technology professionals with little or no security experience and training. Jobs like first tier security operations analysts, security access administrators, and junior auditors are routinely filled by people outside the security profession and provided some on-the-job training and mentoring to be proficient. Beyond that, the qualifications tend to be the same self-starter, good oral and written communication skills, and hard worker type traits that describe nearly every white collar job in existence. When people complain about a skills gap, they’re really talking about the more advanced positions like security architect, malware analyst, penetration tester, and data scientist. The good ones are certainly hard to find, but that’s not because our schools are not putting out enough qualified candidates. It’s that well-qualified people in this area generally don’t get that way through training and education. Undoubtedly, experience helps a lot, but a lot of this talent is innate or at least internally derived. Malware analysts and penetration testers, for example, often have little formal education in their trade. Many don’t even have college degrees. They excel through their passion that keeps them up until 3 a.m. and their innate gifts for problem solving. A person can attain an average competence in penetration testing by following checklists and using automated tools, but without that passion and innate ability, they’re not going much further. It’s the same challenge we’ve faced for building good managers. Few blamed business schools for the colossal failures of firms like Enron and Worldcom. Instead, we saw that hubris, greed, and lack of discipline had more to deal with the failures. Jack Welch, the highly regarded former GE chief executive for 20 years, remarked in one of his books that even at the end of his career, he only made the right hiring decision about half the time. Let’s not assume that security is that different from many other fields. Yes, it’s true that the security profession is experiencing rapid rates of change, but I would suggest that has had much less effect on the availability of qualified personnel than we think. However, I do think there are some structural reasons that create challenges in filling security positions. Let’s look at those.
Economists would look at the issue of unfilled positions as one of supply and demand, or more specifically, whether there are sufficient incentives available. The best qualified security professionals have a lot of options to choose from. They can work for a chief information security officer (CISO) (or be one), work for a professional services firm serving those CISOs as contractors, or hang out a shingle doing freelance work. Or they can choose a career having nothing to do with security. For example, some of the best data scientists are paid millions to help hedge funds pick the right investment options. However, the answer is not to get into a bidding war with Wall Street for the best talent. There are plenty of other candidates to choose from. But salary is still an issue. Security architects, an absolutely essential in-house role for most large companies and government agencies, can often fetch salaries from $150,000 to $200,000 or more per year at a senior level. And because security architects almost by definition are seasoned professionals with a wide variety of experiences and technology expertise, the position is almost always a senior level one. For many companies, this presents some challenges to their pay scales. Outside of financial services and larger technology companies, salaries for in-house IT positions tend not to go that high beyond the chief information officer, the chief technology officer (if that position even exists), maybe the CISO and some other management positions. In the U.S. federal government, a salary of $200,000 per year is more than a cabinet secretary or member of Congress makes. And while roles like penetration tester and malware analyst can easily be outsourced, the salary expectations tend to filter over to what kinds of hourly rates companies are willing to pay contractors, and consequently, there is a race to the bottom for rates and competence. While that is somewhat inevitable, we can definitely develop better criteria for the skills and output of the work that is expected.
Like most technology fields, the security profession is awash in buzzwords that constantly change, like advanced persistent threat (APT), big data, cloud computing, and threat intelligence. Not surprisingly these buzzwords end up on job descriptions, and employers are surprised that no one has 10 years of experience in a discipline that was just invented two months ago. This is even more common for vendor product experience requirements. Employers will list every single product their company has and then tell recruiters to forward only candidates that have experience in all the products. This is even more common when selecting contractors. That results in them only considering candidates willing to lie or exaggerate on their resumes or those who spend all their time evaluating these products and no time using them in an actual production setting. The result in either case is likely to be a poor choice. Instead, the focus should be on evaluating the types of experiences the candidate had with the products he/she did work with. Did he/she demonstrate a proficiency in understanding security requirements, discovering and solving implementation challenges, and maintaining a consistent process for ongoing management of the product? Moreover, every organization is a little different, so after establishing that the person is proven to have the basic technical skills and experience, the focus should be on the person’s ability to learn and solve new problems. In that respect, rather than focusing on an education pedigree or checking all the right boxes, perhaps employers should throw out some questions from left field like those taken from Google’s interviews. Even the wrong answer is okay if it gives a glimpse into one’s problem-solving capabilities.
Another aspect of unrealistic expectations relates to the specific domain a customer operates in. Sometimes you need a security professional that knows banking, healthcare, or energy, but often you want someone that shows the willingness and interest in what the company does to make money. For example, asking questions anyone would know by spending some time on the company’s public web site can say a lot about the candidate’s commitment to that company. In the critical infrastructure field, we’re seeing a lot of desire for candidates that are knowledgeable about control system security. And while it is important a person know how those systems work, a more useful skill is that a security professional has a history of learning everything he/she can about a technology or business process before trying to slap a security control in place. Technology that can lead to someone dying needs to be managed with a lot of competence but a lot more respect and diligence.
Rapid Technology Change
Whenever there is a skills shortage in any field, one of the first explanations given is the rapid pace of change happening in the industry. There is no doubt that cybersecurity falls into that category. Even the name of the field, moving from information assurance to information security to cybersecurity, has been in a constant state of flux. However, the basic principles have not changed. The objectives are still to protect the confidentiality, integrity, and availability of information assets through controls designed to protect, detect, and/or respond to a threat based on the probability of that threat exploiting a vulnerability times its impact. Being proficient in particular products or tactics is good and often necessary, but too often that leads to the tail wagging the dog. It is inevitable that new technologies will arise demanding a highly specialized set of expertise that cannot be easily learned. Doctors and lawyers have experienced this for hundreds of years when a new medical technique or legal specialty suddenly comes in vogue. Those with the foresight to correctly predict and prepare for this outcome tend to be rewarded handsomely until the rest of the industry catches up or the demand fades. Cybersecurity is no different. Consequently, employers should resist the temptation to chase the latest trends when it comes to their permanent hires. Instead, their already talented employees that were hopefully vetted correctly can either quickly learn the new technology or practice, or the company can pay premium rates for an outside firm to help them get up to speed. One of my customers paid $800 an hour for assistance with a niche product in a small market. It was money worth spent to get the job done right. Hiring an employee with the right skills to do that would have been a waste of time and money.
The above discussion is not meant to suggest that we should not invest in more training and education for cybersecurity. Instead, it suggests that we clearly understand the problem and fix the issues that have nothing to do with the skills of the people in our industry. After that, we’ll be in a much better position to know where to focus our training efforts.