Most analysis is that the cybersecurity skills gap or shortage is getting worse. ESG reported in CSOOnline that 2018 had the highest levels, at 51%, where organizations “claimed their organization had a problematic shortage of cybersecurity skills.”
It’s a complex problem, but I believe with non-complex solutions.
The Problems (and the Solutions)
HR and How We Look at Jobs
This is a complex aspect of the complex problem. Cybersecurity is like healthcare, in that there isn’t one ‘job’ or role. Heart surgeons, lab technicians, and medical device designers are all part of that market however the submarkets they occupy are very distinct and there is overall very little cross-market progression. Other areas of technology may be somewhat similar however they don’t seem to have more job role and progression order than the unsorted pile of Lego that is cybersecurity. I’ve seen too many postings looking for 10 years experience for a security technology that is 5 years old, salary assignments that are 1/3rd the going market rate for the described role, or great candidates not considered because they were filtered out when the word ‘cybersecurity’ ‘C.I.S.S.P.’ and not CISSP wasn’t in the in the CV. It’s so inefficient, and the more so because it amplifies the skills gap by narrowing the pool of candidates. So what’s the fix? This one is the hardest one on the list so I put it first. There’s a systemic change needed here in how we describe roles, and try and fill them. I’m pragmatic I believe on this one – not until the companies and agencies who are looking for security people get frustrated enough will there be momentum to change.
Education and Certification
At the very front of the pipe, education is how we produce the cybersecurity people. Not only hasn’t the education stream produced the right number of people, because of the above mentioned issues on how we look at CyberSecJobs, post-secondary has been a big miss. Historically, post-secondary have tried ‘jack of all trades’ programmes that produced graduates without the specialization to be quickly employable, having spent time smeared across too many disciplines. Think of that heart surgeon spending a term learning electronics QA processes. Product-specific training filled the gap, and this is successful if a candidate will be dealing with that product but it’s a gamble that a prospective employer will use those products you are trained on. For non-hand-on or non-ops roles certifications have been widespread, but mostly have been too broad, like the CISSP, to be really a skills-gap filler, and the very specific certifications haven’t had the adoption to be recognized. It isn’t the fault of the certification bodies for the latter, but instead the issue again of too much tendency towards treating security as one big job bucket. So what’s the fix? Greater links between industry and post-secondary education is a first step. Post secondary is starting to move to post-graduation success tracking for cybersecurity but only a few. Better practical linkage between foundation and application is needed without overlaps. For example, foundations of firewalls should be a general course and product specific courses should build on that. There also needs to be better conversion training. An advanced admin of product X should have a better certification and training path to achieving a similar level on product Y. Otherwise certifications today are an all-in-one of the CISSP or an alphabet soup that is effectively meaningless to filling jobs or assessing a provider. Government seems the help of last resort on non-product certifications but I think we’re there. For all the investment and noise about the importance of cybersecurity if the free market has failed with CISSP et al then they need to sponsor or assist (not direct) a re-invention of what gives those marks of achievement and progression (note those are plural and not a single certification) for our cybersecurity people. Heck, we do it for so many trades we rely on for trusted service from mechanics to electricians why not the security that protects our lives and economy?
Security on its own has no value: it’s a verb that is applied to a technology. As technology changes, so must security. The challenge is that unlike one technology changing on a cycle, any technology change in your business can have a security impact that needs addressing. This is the primary reason that security appears so chaotic, it is because it necessarily reacts to multiple sources of disruption. This isn’t going away. So what’s the fix? More resilient security architectures that presume change. We have this already in some aspects, such as multi-cloud support for many security products that support AWS, Azure, Google Cloud, VMWare, et al. Another is how we fund and provision security. Some leading organizations tie the security budget to the IT budget in some way, and that becomes more important as a way to tie security investment to complexity.
Increased Detection, and FPP
Security has just gone through a wave of adding increased detection capability. This has been great for finding attacks that are evasive to signatures or haven’t previously been seen. The downside is this has led to a glut of events to process in some organizations. Increased detection generally has meant an increase in alerts that have lower confidence than purely signature based methods. Of course there are high fidelity non-signature alerting but there’s clearly an increase in FPP (False Positives Phobia). All these extra alerts and extra indicators of compromise would be awesome if we had a matching increase in people but we don’t. So what’s the fix? This is the best opportunity on the list, that of taking all this new security information and getting refined value from it without throwing people at the issue. One big win is real machine learning (ML). True AI is the next step but today assistance by ML is a real security force multiplier. Outsourcing through managed security service providers (MSSP) has always been an option but they too struggle with staffing, so a hybrid approach of ML+MSSP is very cool as a managed detection and response (MDR) option. Increasing feeds of alerts and information needs to be matched with ML assistance where the ML doesn’t just produce more alerts needing human intervention.