Hard Tech Skills Remain the Priority, by Chris Dunning-Walton
This year promises to be a challenging one for organizations recruiting new personnel within information security. Last year saw a number of high-profile threats, attacks and breaches at the forefront of the news including Heartbleed, Shellshock, Microsoft’s SChannel flaw and the Sony hack, which continues to be played out. Last year, according to PwC’s Information Security Breaches Survey, 81% of large organizations had a security breach, and the cost of said breaches in the UK was nearly double 2013 levels.
As such, the need for new recruits in the information security industry has never been higher. A considerable skills shortage across all levels in the industry currently exists, from graduates and junior positions, to CISOs and heads of security. This looks likely to remain the case throughout 2015 as more organizations realize that cybersecurity has become a persistent, all-encompassing business risk and look to mitigate this through hiring additional security personnel.
For the vast majority of our clients seeking new recruits within their security teams, a strong technical understanding is currently the most important attribute for the majority of roles. Having spoken with a number of other CISOs and hiring managers, I would argue this is generally the case within the wider security industry at the moment.
This issue is more pertinent for less experienced or entry level professionals, where the need for a good technical understanding overwhelmingly supersedes softer skills and business knowledge which can be gained through training and in-post experience. Graduate positions advertised invariably stipulate a degree in IT, engineering or maths, with further education or relevant certifications within information security a distinct advantage.
If we consider trainee or junior positions where professionals have the opportunity to move into the security sector from elsewhere, again the vast majority assume a technical background or require hands-on IT experience. Vulnerability assessors and pen testers, security programmers, network or system security analysts, IAM administrators, NOC and SOC analysts, incident response analysts and junior security consultants are all roles that offer an opportunity to move into the industry, but are far more readily available to those with an existing technical background.
"Having a strong technical background allows new recruits to explore a far higher number of avenues"
The majority of current security training and development courses available (IISP, (ISC)2, SANS, CREST) also require delegates to have a good technical understanding prior to attending, and whilst internal training and development is now increasing, hiring managers continue to favour new recruits who have a fundamental knowledge of technology to those without.
For management and leadership roles, the emphasis on deep technical understanding does lessen, with more prominence on transferable business and softer skills. Here we can see a greater crossover of applicants from outside of the technical sectors who have an understanding of security principles and highly transferable business skills.
Indeed the role of a CISO these days sees the technical considerations as only a small aspect of overall responsibilities, working much more at the strategic level within the business. By and large in my experience, however, those at the management layer of security within organizations will have a technical background, albeit historic, from a hands-on perspective.
Not having a strong technical background does not mean you cannot enter the sector – some excellent opportunities are available to those with little or no technical understanding, notably within areas such as risk and regulatory compliance, sales support, security awareness and training, as well as recruitment.
However, I would argue that in the current climate where organizations remain understandably risk-averse in their recruitment strategy, having a strong technical background allows new recruits to explore a far higher number of avenues.
As cybersecurity is a profession developing momentum, and with security training, career development and entry paths continuing to mature, I can see no reason why this shouldn’t change in the future, which will be a positive move for everyone.
Time for a Softly-Softly Approach, by Brian Honan
As an independent consultant in the field of information security I have seen a lot of changes over the years. From infosec being an area that was often overlooked by businesses, it is now one of the fastest growing areas in technology. This change has led to an infosec ‘skills gap’ where many companies are citing they cannot hire anyone to fill their vacant infosec roles. Indeed, I am regularly asked by various companies if I am aware of anyone looking to change career and, if so, whether I could point those people to the company’s vacancy.
Yet, at the same time, I talk to many professionals who lament that they cannot break into the information security field. Many cite that they feel they are not technical enough to get into the area, or that they do not have enough experience.
Many believe that to be successful in infosec you need a very strong technical background. The argument being that, as infosec is so reliant on technology, you need to be strong technically to understand not only how that technology works, but also how it fails, so that you can better secure it. While this may be true in a number of specific infosec roles, such as penetration testing, security/system administration, malware analysis, and development of security tools, I contend that this is not true of all roles.
The headlines have recently been full of security-related stories which cast an aura of highly technical adversaries breaking through companies’ defenses with ease. Yet, if we look at the root causes behind these breaches, or indeed read the excellent Verizon Data Breach Investigations Report, we see that many breaches are not that technical and are in fact caused by simple issues such as the human factor, lack of training, ineffective operation processes such as patch management, or good old lack of security awareness.
None of the above areas requires strong technical skills to address and, indeed, as information security is becoming more of a mainstream concern for many businesses, strong technical skills, to the detriment of other softer skills, may in fact turn out to be a disadvantage. For companies to have effective information security, the area has to become embedded as a key component of overall business activity.
"As information security is becoming more of a mainstream concern, strong technical skills, to the detriment of other softer skills, may in fact turn out to be a disadvantage"
Responsibility for information security is now too important to be left solely in the hands of the technical experts. Instead, everyone from the board right down the organization’s hierarchy must share that responsibility. In order to do so we need to be better able to communicate to business stakeholders why they need to care about information security. This involves many soft skills such as being able to present complex infosec concepts in simple terms to employees from various business backgrounds.
We also need to be better able to ascertain information security risk and how those risks can impact on the business. Too often I see reports going to senior management not being actioned upon because they are littered with too much technical detail and not enough on the business impact. As an industry we need to better communicate with key decision makers and not just focus on the technical issues.
As a result, the key requirements I look for in new recruits to the industry is a passion for the topic and the ability to communicate clearly and effectively. Indeed, some of the most successful people I have worked with come from non-technical areas.
Many other respected professionals within the field will also claim they do not have a technical background. Yes, technical skills are important and we will always need specialists in the more technical aspects of our industry, but technical skills are no longer the be-all and end-all for a successful career in information security. Technical skills can be taught and improved upon, whereas the soft skills required to communicate effectively with others are harder to teach.
Over time, technology becomes dated, as do the related skills. As an individual progresses through their career, they will also find they move more and more away from pure technology roles. Passion, curiosity and the ability to communicate are skills that will last throughout one’s career and will also make us more effective infosec professionals.
This debate column was originally published in the Q1 2015 issue of Infosecurity – available free in print and digital formats to registered users