Skills Gap in the Cyber Security Industry

I read an FT article a few months ago (here – worth signing up for occasional articles – it’s free) about the skills in the cyber security sector or, should I say, the lack of available skills. This is something I revisited this week for various reasons. Some interesting points made here included;

• 103,000 people hold a CISSP certification, including 68,000 in the US but there are 50,000 extra job openings for CISSP certified professionals at present.
• It is not just about technical skills. You also need people who can also “speak the language of the boardroom and translate tech-talk into understanding for the C suite” (Mark Brown – E&Y). This is certainly something I agree with and have seen first hand that few people can do well.
• In  the UK salaries have increased 10 per cent year on year for security staff and 16 per cent for consultants
• Security professionals moved jobs twice as much as average workers in the year to April 2015.

       These are very real issues in my experience and it is getting worse. I think it is somewhat compounded by the C suite thinking that all IT professionals fall into the same or similar categories and that there is nothing special in relation to recruitment of security staff. The realization that this is incorrect will be a bitter pill to swallow when there are significant impacts which highlight the gaps. The Information Security Forum's (ISF) recent 2018 Threat Horizon reports asserted that

      

    “Disruption to critical systems is magnified due to the shortage of specialized skills needed to maintain algorithms and codebase………To fully close the gap between the board’s expectations and the security function’s ability to deliver, skills and capabilities have to increase”

      and

     “Inability to recruit, develop and retain the right skills, losing the war on talent and leaving a critical skills gap” will lead to more significant and long lasting security incidents for companies.

So both the research and the practical experience has demonstrated the validity of this problem but, as security managers, what can we do about it? I don’t have all the answers here but for me the solutions fall into several categories;

1. Enticing new graduates to the Security industry. I think the role we in the industry can play here is, where possible, engage with the universities to fill student internships. I know in Ireland these exist even for the summer period (e.g. DCU Intra). This is a great introduction to the real world for these students.
2. Enticing experienced IT professionals into security. Given I count myself in this group, I think this is something we should also encourage. Many people have associated skills (e.g. compliance, application development) which can, with additional training, be an asset to the security function in an organisation.
3. Development of existing security professionals’ skills. I am a big fan of the Richard Branson phrase “Train people well enough so they can leave. Treat people well enough so they don’t want to”. Given the flux in the industry information security managers need to proactively drive their people to further training. I certainly believe it is significantly cheaper to regularly train a person to develop existing and new skills than to hire a new person (if you can find them) and have to pay them (and pay for training) while they get up to speed. Anything less demonstrates, in my view, a lack of management skills and foresight. So take time out to work on development plans for security professionals – see where they want to go and build solid plans with clear time-delineated outcomes and give them the freedom to achieve these goals. This will include finding the balance between formal training (including certifications) and training-on-the-job. The latter needs to include some level of mentoring to speed up development over time.
4. Ensure people maintain understanding of the security environment. There are many ways to do this including online webinars (but you have to give them the time and freedom to attend and focus on these rather than do their email). However, it also means facilitating attendance at security conferences but also encouraging security people to speak at these conferences to share best practice. This builds other skills and increases confidence.
5. Identify those with potential and encourage them to engage with the C-Suite personnel. As the ISF pointed alluded to, we need to develop the ability in technical people to engage with senior management in their language. As managers, we need to push people and trust in their ability to do this.

Information security is an immature profession. It occurs to me that as its current custodians we have a responsibility to ourselves, our colleagues and the next generation to proactively develop that maturity.