A topic that is cropping up time and time again across the cybersecurity world is the apparent ‘skills gap’, whereby companies are struggling to find individuals with the right level of knowledge to successfully fill the plethora of security roles that are currently available.
Of course, the cybersecurity industry is not alone in facing this challenge, with sectors such as healthcare, engineering and advanced manufacturing all battling the same problem.
However, with research suggesting 2016 will see the highest levels of cybercrime ever and the General Data Protection Regulation soon coming into play the need for companies to find more skilled security people is now imperative. You can have all the high-tech tools you want, if you don’t have skilled and intelligent people who can interpret them, they count for nothing.
Recent findings by RSA Conference and ISACA revealed a damning verdict of the skills situation in 2015, with six out of 10 security professionals saying they do not believe their staff can handle anything beyond simple cybersecurity incidents. In addition, 59% of those polled admitted less than half of candidates are “qualified upon hire” when they are taken on.
Like any problem, to address the issue you have to get to the cause, only then can you put together a plan of action that can turn things around. So firstly, what is causing the skills gap in cybersecurity?
Cybersecurity is a complex, difficult area of technology. It’s hard enough to find somebody who shows promise at entry level, or someone who can deploy a firewall – but finding people who know how to detect and hunt bad guys is very rare because they need to be able think like hackers, which is a big ask.
Along with this, David Flower, Vice President & Managing Director EMEA at Carbon Black, explained to Infosecurity another hurdle companies face is that the cyber world is “changing so rapidly.”
“It’s near impossible to keep up with courses and training on everything that is coming up. There really is no replacement for experience and as a lot of the technology and threats are quite new, finding that experience is hard – and expensive!” he said.
So now we know some of the causes, let’s look at what needs to be done to start to close the skills gap and build a stronger cybersecurity industry.
Speaking at the 2016 RSA Conference in San Francisco yesterday, Christopher D. Young, a Senior Vice President and the General Manager of the Intel Security Group at Intel Corporation, said that in order to replenish talent greater emphasis needs to be placed on enticing more digital-savvy young people into the sector, stating education and membership opportunities could help to do this.
This suggests school and university goers need to be given more insight into what opportunities are out there for them in the cyber industry, sentiments echoed by Morgan Mayernik, a Freshman engineering student who joined Young on stage.
“A lot of it is about making students aware that these opportunities exist, giving them the chance to delve into these topics. Give us the opportunities, we’ll take them,” she added.
That’s all well and good for educating youngsters who are looking to pave their way in the field, but what about improving the skills of the people who already find themselves in a security job?
Ron Hale, Chief Knowledge Officer of ISACA argues the conventional techniques companies currently use to train their staff are failing, suggesting they should be replaced with newer, more relevant methods.
“Hands-on, skills-based training is critical to closing the cybersecurity skills gap and effectively developing a strong cyber workforce.”
David Flower shares a similar view.
“Organizations need to ensure that their security team’s time is being used wisely – not wasted fending off false positive and alerts,” he told Infosecurity. “So having the right technology in place that can automate processes where possible is critical as it allows teams to focus on the value added work – hunting threats, spotting suspicious activity.”
“The industry [also] needs to unite and share data. We call ourselves the security ‘community’, I think it’s time we started acting like one,” he added.
Oddly though, there is a silver lining to all of this – a lack of skills is impacting the dark web too!
Research by Digital Shadows found cyber-criminals are also struggling to find the best talent who not only have the right technical knowledge but are trustworthy. This has resulted in them having to use slow, rigorous recruitment techniques to go after “low hanging fruit” as opposed to individuals with ground-breaking hacking abilities.