It’s no secret that the security industry suffers from a severe skills shortage. Amongst the many cybersecurity positions companies are currently challenged to fill are penetration testers’ roles. However, of all the skills that are in high demand and short supply, pen testing shouldn’t be one of them. Pen testers are the rock stars of infosec – everyone wants to be a pen tester. Moreover, companies clearly recognize the need for pen testing skills. So, what is the problem?
According to joint research conducted by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), 23% of organizations report having a shortage of pen testers, ranking penetration testing fourth on the list of cybersecurity skills where they suffer the largest shortage.
However, the problem isn’t a lack of qualified candidates; the problem is how companies approach penetration testing. On the one hand, some companies are inadvertently turning away qualified candidates while, on the other, they simply aren’t willing to put in the effort to develop pen testing skills internally.
Calling All Pen Testing ‘Experts’
Companies demand productivity. They want to fill open positions with people who can hit the ground running, but when it comes to IT skills, HR has unreasonable expectations for how productivity translates to experience.
An ‘expert’, so far as HR is concerned, has at least 10 years of experience in a given area. That is a problem when you are hiring for tech skills. A hiring manager tells HR that they want an ‘expert’ in a programming language – say, Swift – and that immediately gets translated into 10 years of experience. Swift was introduced in 2014. The company will be lucky to find a candidate with three years of experience.
You can see how the exacting demands recruiters place on job capabilities and requirements artificially constrains the supply of qualified pen testers. Qualified candidates don’t even get past keyword filters on job sites. As a result, candidates who could quickly come up to speed are passed over. Companies need to lower their expectations when posting job requirements, or be willing to take a shot at someone who exhibits the foundational skills and characteristics of a good penetration tester.
Growing Your Own Pen Testers
Penetration testing skills are available – if you’re willing to put in the time and effort to nurture them.
IT professionals are in ample supply, and their skillset serves as a strong foundation for network penetration testing skills. Businesses should look for individuals in their IT department who are willing to cross-train. Someone who has hands-on experience actually running systems, not someone from the help desk. Five-to-seven years of IT admin experience is preferable, as it indicates that the person is functional enough to hold down professional work, and they won’t need to be broken out of bad academic habits.
Besides the years of experience, it is important to understand the technical knowledge of the candidates. For example, while IT admins might know how to configure a firewall or router, a successful pen tester also needs to have an understanding of the inner workings of how a firewall actually works (in terms of its development). We all know there are encryption algorithms, but a pen tester ‘wanna-be’ should also know the inner workings of some of those algorithms. That hunger for understanding things in detail will drive the curiosity to think about broader situations where most security problems arise. Having software development background is another important skill, especially for those pen testers that will also assess applications. Not only will the development background provide inner workings on how machines and frameworks work, but it will also provide the foundations for understanding how to assess applications from a security standpoint.
Candidates should also have a track record for being fast learners and being adaptable. No two pen tests are alike, and no two systems are alike. Pen testers usually need to be able to develop and customize tools, so adaptability and programming knowledge are a must. Good pen testers have the ability to problem solve on their own and are used to learning and thinking independently.
The ideal pen tester also exhibits a healthy dose of deviancy. Some people are so bound by the rules of a system that they can’t think beyond it. They can’t fathom the failure modes of a system. Future penetration testers should have a natural inclination toward pushing the boundaries – especially when they are told, in no uncertain terms, not to do so. These are the people who learn best by doing.
It’s also important to understand that you won’t get instant results. You can’t send your IT admin to a weekend bootcamp and turn them into a pen tester. It takes time to develop pen testing skills. However, organizations can facilitate the process by setting up a proper apprenticeship.
The apprenticeship model was once used to train professionals of all trades because it worked. People learn well by doing alongside an expert. It was only fairly recently that society abandoned the apprenticeship model for mass education, but the apprenticeship model is tried-and-true, and it really works for pen testing.
It’s critical that organizations change their approach to hiring pen testers or invest the time to nurture pen testing skills in their IT professionals. The alternative – suffering a data breach due to a weak infrastructure – is unacceptable today; 70% of cybersecurity professionals reported to the ESG and ISSA that the global cybersecurity skills shortage has impacted their organizations. Penetration testing doesn’t have to be one of them.
Chris Sullivan oversees all aspects of Core’s security principals, strategy and posture, and the overall technology strategy across business lines and partnerships. In addition, Chris helps drive CoreLabs, a center for cyber security research and innovation, which maximizes collaboration between developers and cyber defenders across all security domains.
Previously, Chris held positions as General Manager of Core Security’s Intelligence/Analytics business, and VP of EMEA Operations, Advanced Solutions, Customer Solutions and Professional Services. He also serves as Chairman of the Access Risk Benchmarking Committee for ISACA and is a frequent speaker at industry conferences including the European Identity Conference, the Gartner Catalyst Conference, the MIT International Science and Technology Initiatives (MISTI), the IT GRC Forum and the ISACA ISRM conference. Chris received a Bachelor of Science degree in Computer Science from Northeastern University.