Addressing the security skills gap

Addressing the security skills gap

By Steve Mair - Senior Cyber Security Consultant at PGI

I've seen many articles and many discussions recently about whether there's a cyber security skills shortage or not. I thought I'd share my thoughts on the topic.

Before we start, let's remove the word "cyber" from the discussion, and just talk about security.  As far as I'm concerned, cyber is a component of Information Security, so this article will incorporate that view. 

I think that most of us would agree that there are too few people with security skills for the number of vacancies which are out there. We'd also agree that the most likely recruiting ground to fill those gaps is from the world of IT. So, is it easy to take someone with an IT background and train them up to work in the security world? I don't think there's a straightforward "yes" or "no" answer: "it depends" is more appropriate, in my experience. The right mind-set is what is needed, irrespective of background. Some people "get" security and others don't. 

I believe that some people are inherently security minded. They know instinctively that data needs to be protected and take that into account without any additional conscious thought. To illustrate this I'll give you an example, from my own dim and distant past. Back when 386 and 486 PCs were the most powerful around, when a network server with 100 Mb storage was almost unheard of, I ran a small Computer Aided Drafting office with a number of users working on a number of different projects. You've probably twigged that security was not on anyone's radar back then, but as the system administrator I only gave users access to those projects which they were working on: the principle of least privilege as we know it today. I hope you'd agree that this demonstrates a security mind-set even then, over 25 years ago.

I know that some people are not security minded. The most obvious example of this concerns the use of OWASP when developing systems (sorry, but it's a recurring issue). OWASP has been around for what, 15 years or so, and in all that time SQL Injection has been in the top 5 vulnerabilities - and continues to be so. Surely this points to a lack of secure thinking, of developers doing what they're tasked with (getting a website up and running ASAP) without taking into account the security requirements. This is probably be down to lack of direction or security appetite from their management, or lack of training, because I don't believe people are deliberately writing insecure systems: they're just not appropriately rewarded for developing secure ones. 

So, back to the question at hand: can you train IT professionals up to be security experts? The answer is yes, but you'll find it easier with those who are security minded from the outset. Those who don't have that mind-set will have to work that bit harder to adapt their thinking. 

The question then becomes, what roles should your [former] IT staff be looking to fill? And what sort of career progression can they expect? A good example would be to take a network engineer and develop them by ensuring they have CompTIA Network+ and Security+ qualifications then move them into Penetration Testing, Incident Response or Security Operations analyst roles, with whatever additional training and support those may entail. 

In my opinion, there IS a security skills shortage, but the gap can be closed relatively quickly and easily by training your own existing staff. That's got to be good for staff retention (and their career development), there are no recruitment costs (training will be much cheaper than agency fees), and they already know your systems so will be more effective more quickly than bringing someone new in.