Tackling the Cybersecurity Skills Gap: Advice from Industry Experts

every available data source on this topic whether it be surveys of cybersecurity professionals or a quantification of open job positions confirms what we already know and that is that there is a tremendous gap between supply and demand for cybersecurity professionals particularly in a queue need for technical cybersecurity talent a number of different initiatives underway globally to address the supply part of the problem namely in the form of more robust educational formal educational opportunities and programs professional training and certifications and even competitions to identify and refine Talent however any reasonable projection in the near future still suggests that the gap is not gonna close anytime soon in the meantime organizations can do a number of things to try to address the skills gap obviously there are opportunities for increased investment in security automation as well as opportunities to outsource and consume services through externally provided managed services one of the most important aspects of cyber security though to keep in mind that does touch on this problem is that cybersecurity is inherently an interdisciplinary cross-functional challenge if we begin to view cybersecurity as directly related to the central nervous system of an organization the critical infrastructure that ties together all the parts of the organization that both receive sensory input as well as provides guidance back out to its many parts and communicates with the outside world and to its many partners and suppliers and the data that is residing within the organization and used to make important business decisions and ultimately do what the organization is designed to do if we begin to view the problem that way then we realize that in fact this touches on much more than just the IT department with some help from the HR department which is often how cybersecurity tends to be viewed when we realize that the cross function cross-functional and interdisciplinary nature of the problem then we can begin to engage all parts of the organization with leaders from legal and finance to IT and operations to sales and marketing recognizing that every part of the business that we part of the organization manages important sensitive data and information and has an influence in the type of systems and tools that are used to perform as many functions when we can do that then we begin to engage other people in the problem and whether they be legal and finance professionals that are tied to compliance and other requirements or the handling of sensitive information by sales and marketing professionals regarding partners and customers to non security oriented IT professionals that begin to contribute to the security problem and solving it then we begin to address not just the supply part of the problem but actually the demand side of it meaning the organizations that need cyber security in the first place can begin to leverage a broader set of resources in a broader number of people that are already working there to begin to secure the data and assistance upon which the organization relies and which are so critical to achieving a higher state of cybersecurity hi I’m Melissa Miller application security advocate for sneek and the topic is the cyber skills gap so there’s a lot of discussion in the cyber security community about this skills gap and the trouble that corporations are having in hiring skilled cyber security individuals and as we look at that problem I think one of the key issues were seen and I hear this all the time from my colleagues I’ve seen it in a research I’ve done is that our job descriptions are wildly unrealistic if you look at job descriptions that are out there today you’ll see things where entry- level positions are asking for a cissp certification anybody knows about that certification you know if they have five years of experience just to get it you know I’ve seen other things that just asked for either wild amounts of Technology experience that no single one person could have I’ve even seen impossible things like 12 years of AWS experience well unless you’re Jeff Bezos you probably don’t have that level of experience so you know I I think that’s one of the big barriers we have right now in the industry is just getting job descriptions out there that are sensible and will attract the right people that we want to apply for those jobs the problem with this is far-reaching as these positions stay open for a long period of time it puts extra stress on the rest of our security teams and we see this the turnover is almost astronomical in the cybersecurity community the average time on the job the last study I saw said it was two and a half years that’s not because salaries are higher that’s because people are getting burned out in their jobs and they’re leaving to go to other cybersecurity jobs they’re not leaving for more money they’re leaving for environments where they feel they you know they have a better balance and so the the struggle becomes how do we continue to secure our systems when our teams are in these positions and the fact is we have to start looking internally we have to start looking at who are those folks within our organization who have a desire to expand their skills into security and we’d start looking at how do we develop those people how do we start to enable them how do we provide training and opportunities for them to show what they can do in security so it’s a long road we’ve got a lot of work to do but those are my thoughts on the cybersecurity skills gap my name is Anthony Israel Davis and I’m a senior manager in R&D one way to fill the skills gap is outsourcing and it’s a great way to do that there are short staffed teams they need the help and hiring having somebody outside of the team is great however outsourcing does have its limitations first often when you outsource you’re only filling one particular control niche so they’re not filling an entire need for your security controls so if that’s something to be considering second is that you need somebody to be able to consume whatever that outsource resource is providing so if you’re getting information if you’re getting vulnerability reports somebody needs to be able to come consume that information and then turn that into actionable business activities in order to be able to consume the risk so they’ll be able to determine what it actually is they’re getting and finally when you outsource you spread the risk which can be good but it can also be a challenge because you need to have very clear boundaries about what that risk is who is responsible for what and how to respond once something comes in such as a breach report or something that looks like it needs immediate action hi my name is Jim Coulson director of hidden text and freelance consultant I believe the skills gap is a twofold issue we can’t hire and we can’t train fast enough firstly the amount of available people with an interest in our industry is growing they’re enthusiastic and passionate about our career however that is not good enough to pass the current HR processes and as a result candidates become despondent and take up other IT roles instead secondly the myriad of technologies is such that training may only be relevant from one technology stack and when a talented individual applies for other roles they may find the hiring company doesn’t recognize it the transferable skills they can’t put a tick in a box they don’t hire the candidate so companies need to go back to basics number one don’t look for the unicorns those 1 in 1,000 people currently companies are discounting 999 or the talented individuals who could grow in that company number 2 don’t advertise hyper specific requirements and job roles understand the ideal candidate may not apply if they cannot tick all the boxes number 3 instead of a keyword search HR team allow them to do basic filters but then be guided by the managers that will be looking after these people look for the transferable skills number four instead of a full interview which can put off neurodiverse candidates consider putting in scenario and/or competence based tests which will then allow a candidate to demonstrate their passion and ability doing these will identify passionate talent that can actually do the job despite not necessarily taking all the hyper specific boxes on the job effort thank you very much hi my name is Chloe Messdaghi and I’m here to give some feedback on how to recruit and also how to retain your employees it’s really important to show that you care about your employees and by doing that is by doing something meaning to provide training for them have one-on-ones with them find out what their goals are and create a roadmap together and see them go and hit that goal and the best thing they do this is be that manager that wants to see their employees succeed them in life and our cheering them on and the entire time way now it’s also important to have a conversation with your team about work and life balance because burnout is prevalent InfoSec and whenever people are burnout it’s a mental health issue and in return what happens is that it also puts security at the company at risk so please take care of your employees ensure they do care now the other thing I want to touch on is diversity and inclusion today when women are looking at jobs they will apply only to jobs as they fit a hundred percent of the criteria versus men it’s sixty percent and in return women end up applying to 20 percent fewer jobs than men even when underrepresented persons apply and are fully qualified for that position they don’t get the position still today and the reason for that is that we have prejudices and biases that’s still very much exist in InfoSec because it remains unchecked and we’re not doing enough to change the situation and in reality what’s going to keep on occurring is having this rotating door because we’re not doing enough in inclusion so in order to change that situation please reach out to organizations that work with underrepresented persons and do whatever it takes to change the situation and make it more welcoming so then all people can be part of InfoSec without any pain thank you for your time and I hope that’s helpful a lot of organizations are looking for folks with multiple years of experience in technologies that have not been around for very long the information security environment is evolving faster than most organizations can keep up with I think the biggest thing a company can do is to look to hire folks with transferable skills such as a passion for security a curiosity to tinker with how things work and outside of the box thinking this type of the drive is hard to teach so organization should hire this type of talent when they find it and then they can teach the security skills after in order to do that however it requires that organizations invest heavily in keeping their team’s trained up this obviously takes away from office time but it is essential to keeping teams up to date with the latest threats and trends another very important skill is communication many technical folks do not necessarily understand the impact that security can have to the operation of their organization an organization is never going to be a hundred percent secure so it is very important to understand the trade-offs and minimizing risk while maintaining optimal business efficiency this is another area that organizations should spend time training their teams on part of the onboarding process should include some training on what it is that the business does as well as ongoing training of the organizational goals and progress towards those goals small teams typically outsource many of their security functions to manage service providers or manage security service providers when selecting these providers it is also key to select providers that can integrate the business goals of the organization to the management of their security tools focus on implementing security tools with metrics that can clearly help to identify the risk to the business and activities that mitigate that risk for example reporting on the number of missing patches means nothing to their business but reporting on the risk that vulnerabilities and insecure configurations present to the organization can show both the current risk posture and the impact program has on mitigating the risk to the business only while maintaining an open dialog of communication can these goals be achieved together hi my name is Onyeka I’m a senior product manager at tripwire and responsible for expert Ops our managed security offering the cyber security skills gap has been well documented it is getting harder and harder for security teams to hire and retain cyber security staff as a result the existing security teams often feel stretched and overwhelmed managing multiple security tools and just dealing with all of the security data that is often produced by those tools and this is where manage security offerings can help and organizations are actually embracing this more and more because it helps their security team stay focused on strategic activities rather than the mundane tasks of managing yet another security tool by adopting and embracing manage security offerings security teams can focus on what’s really important while the vendor is responsible for deploying the solution managing it and also providing expertise essentially acting as an extension of your security team so for organizations that want to insulate the security teams from the challenges of the cyber security skills gap managed offerings is a great solution .