Avoiding the Security Skills Gap
31 March 2014





There is no denying that there is a global shortage of skilled security professionals or as I like to say, 'security people'. The issue is so widely recognised that governments are concerned. Initiatives in the UK have been launched to find security talent and to stimulate interest in the industry. These initiatives include the UK Cyber Security Challenge and a national cyber security schools programme backed by the Cabinet Office.

While there is widespread agreement that there is a skills gap, there is wide debate around what to do about it. Some argue that more technically skilled people are required while others argue that more security generalists are needed. The '2013 ISC2 Global Information Security Workforce Study' provides an in depth analysis of the skills shortage landscape. This report details the security skills and attributes various sectors consider a priority. The top three security success factors highlighted in order of importance were;

1st - 'A broad understanding of the security field'
2nd - 'Communication Skills'
3rd - 'Technical Knowledge'

Banking, finance and insurance placed an emphasis on 'broad understanding', government and tech sectors placed emphasis on 'technical knowledge'. Interestingly, healthcare respondents placed 'communication skills' as the most important skill. You may wish to draw your own conclusions why different sector respondents ranked different skills higher or lower in order of priority.

There is rational argument in all quarters when it comes to what needs to be done and which area of the security skills gap really needs to be addressed. In reality a broad range of skilled security people are required from geek to sleek. In the majority of cases one would not want to send the top geek to gain board level buy-in and the chances that the top security business luncher is going to spot a buffer overflow attack circumventing 'canaries' is slim. In the short term I do suspect there may be a greater increase in demand for technical security people due to the rapidly shifting security landscape and the need to identify intrusion, restore and recover from an intrusion quickly.

Argument around skills priority or what is the best strategy to develop and nurture the security talent of the future is partly academic when the skills gap exists in many organisations now. Currently there is and emerging drive to focus resources more closely on identifying intrusion and recovering from compromised systems as swiftly as possible. To achieve this technically skilled and experienced security people are required. Security solutions and services can only do so much. The human factor is key married with a deep understanding of security and knowledge of what to look for. This trend may also suggest that there should be a shift to focus on the skills required to analyse security data. Unfortunately, as we generally agree, there is a skills shortage. There is a particular skills gap in the technical skills required to support the trend towards rapid identification and analysis of intrusion, or is there? Maybe there is untapped resource in many security disciplines. Maybe we are not looking in the right place or just not letting them in. An interesting presentation made me stop and think...

...a presentation by Winn Schwatau at Hacker Halted (Miami) 2012 entitled, 'Solving the Cyber Security Hiring Crisis DHS and the Great Talent Search', suggests that the industry should be able to embrace autism and he goes on to provide reasonable rational for this. His presentation is well worth watching to get the full story. In summary he presents the notion that typical recruitment practice excludes those who may be most suitable for various security roles.

There is a widespread view that businesses simply cannot find the right security people. But, do they actually know who the right people are to protect their businesses. Organisations will face an increasing struggle as long as they attempt to select people that fit with corporate vanity. Such organisations will always have a security skills gap. However, for those businesses that have the desire to adapt, there is an option. Winn Schwatau makes a point in his presentation that HR often exclude people simply because they do not fit the mould. Addressing this very point and adapting the work environment and attitude to accommodate those individuals who may not fit the corporate mould may very well help some organisations avoid the security skills gap. Security technology, operations and process are now a critical organ of an enterprise. A simple change in the corporate recruitment mindset could go a long way to help an enterprise meet its strategic security and business objectives.

If a business driver is needed to convince anyone that typical corporate attitude to hiring needs to change, then just say the word Google. Google is renowned for it's work environment and culture and it probably does not struggle to recruit the people it needs. It should not surprise anyone why Google has risen so fast to it's dominant position, People! Playtime! and if they want, Poncho’s! Unfortunately there are rumours that the cultural conduit to it's success is changing but that should not deter others from following that ethos. There appears to be less of a skills gap in creative industries and that's probably because the industry knows the type of people and skills they require and implicitly embraces their creative ways.

We may be able to train people to work in security and fill part of the gap but that won't make them 'security people' and its security people the industry needs to defend against emerging threats. It is worth noting that it was a postman, Dan Summers, who was the first overall champion of the UK Cyber Security Challenge. He promptly moved into the Royal Mail information security team responsible for vulnerability management.

2013 ISC2 Global Information Security Workforce Study
Solving the Cyber Security Hiring Crisis DHS and the Great Talent Search

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution