The skills we need but cannot find.
We have discussed, at length, about the way that technology is infiltrating every aspect of our lives and how cyber crime is becoming a major issue for corporates and private citizens alike. It is a situation that can be compared with the Wild West where lawlessness is the order of the day.
This doesn’t mean that we need to stop using technology. That is virtually impossible in an always on world. It means that there needs to be a focus on protection and ways to fight the growing nature of cyber crime and the impacts that it has on society.
Easier said than done.
However, this is easier said than done. Cyber crime is constantly evolving as technology changes. This means that the skills to combat cyber crime are in desperate need but are hard to find.
I recently read an article on TechCrunch which points out that the lack of skills in the US is deeply concerning.
One of the most senior officials tasked with protecting U.S. critical infrastructure says that the lack of security professionals in the U.S. is one of the leading threats to national cybersecurity.
The article points out that, speaking at TechCrunch Disrupt SF, Jeanette Manfra, the assistant director for cybersecurity for Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), said that the agency was making training for new cybersecurity professionals a priority.
“It’s a national security risk that we don’t have the talent regardless of whether it’s in the government or the private sector,” said Manfra. “We have a massive shortage that is expected that will grow larger.”
The article adds that Homeland Security is already responding, working on developing curriculum for potential developers as soon as they hit the school system. “We spend a lot of time invested in K-12 curriculum,” she said.
The agency is also looking to take a page from the the tech industry’s playbook and developing a new workforce training program that’s modeled after how to recruit and retain individuals.
The article points out that, for Manfra, it’s important that the tech community and the government agencies tasked with protecting the nation’s critical assets work more closely together, and the best way to do that is to encourage a revolving door between cybersecurity agencies and technology companies. That may raise the hackles of privacy experts and private companies, given the friction between what private companies wish to protect and what governments wish were exposed — through things like backdoors — but Manfra says close collaboration is critical.
Manfra envisions that government will pay for scholarships for cybersecurity professionals who will spend three to five years in government before moving into the private sector. “It builds a community of people with shared experience [and] in security we’re all trying to do the same things,” she said.
The article points out that, priorities for Homeland Security are driving down the cost of technologies so that the most vulnerable institutions like states, municipalities and townships or the private companies that are tasked with maintaining public infrastructure — that don’t have the same money to spend as the federal government — can protect themselves.
“When you think about a lot of these institutions that are the targets of nation sates… a lot of them have resources at their disposal and many of them do not,” said Manfra. “[So] how do we work with the market to build more secure solutions — particularly with industrial control systems.”
The article adds that, the public also has a role to play, she said. Because it’s not just the actual technological infrastructure that enemies of the U.S. are trying to target, but the overall faith in American institutions — as the Russian attempt to meddle in the 2016 election revealed.
“It’s also about building a more resilient and aware public,” said Manfra. “And adversaries have learned how they can manipulate the trust in these institutions.”
The problem with fighting cyber crime is that the nature of the crime is always evolving as technology evolves. New tactics are found every day, and with payment demands in crypto currency, it becomes difficult to track down perpetrators.
There is another side to this, a side which suggests that the skills shortage when it comes to fighting cyber crime is self inflicted.
Money matters when it comes to recruiting cybersecurity staffers. But, beyond salary, a combination of factors have contributed to the widespread skills shortage, and some issues are worsened by the industry itself.
The Cyberscoop article points out that various studies suggest the shortage of qualified cybersecurity candidates is set to hit 3.4 million unfilled positions by 2021, up from the current level of 2.93 million, with 500,000 of those empty seats located in North America. It’s the kind of existential problem that makes other headaches worse, resulting in possible data breaches not being investigated and the rise of untested security vendors hawking artificial intelligence tools that promise to help corporate security teams run with fewer humans.
The article adds thay while enterprise executives and recruiters agree there is a significant dearth of skilled security professionals, there is a surge of momentum behind the argument that the industry’s staffing shortage is self-inflicted. The lack of qualified job candidates isn’t just a supply-and-demand issue, according to a Forrester report published in July, but also a deeper failure of bias, expectation, compensation and commitment to effective recruiting and retention, analysts argue.
Too many chiefs.
The article points out that too many hiring managers “expect to hire MacGyver but pay like McDonalds,” says the report.
“Job postings will require a bachelor’s degree with five to seven years of experience with all kinds of technology, and a master’s degree preferred, but by the way we only want to pay you $85,000 a year,” Chase Cunningham, one of the Forrester analysts who authored the findings told Cyberscoop.
“That’s an alignment problem where hiring people are looking through the lens of software development, and it’s ‘If you know how to build an app or use Java or Python, your worth is this,’” he told Cyberscoop, “that’s not how it works with cyber.”
CISOs want a C-suite role.
The Cyberscoop article points out that security leaders at big banks and influential Fortune 100 corporations now are commanding annual salaries of anywhere between $600,000 and, in rare cases, up to $1 million, according to two executive recruiters who specialize in filling security positions. Mid-market firms — defined roughly as companies with revenue of between $100 million and $5 billion — offer less, typically within the $200,000 to $400,000 range.
After spending an average of 17 months in a single position, CISOs typically move on, either to find a new company where the C-Suite and board of directors are willing to invest in security, or to get a raise.
The article adds that if a company isn’t investing in new security tools, prioritizing patching, making the cyber boss part of high-level conversations or otherwise committing to security within that time frame, a hack could be likely, in which case it’s time to find a new position, the logic goes.
“It’s a regular thing for a Fortune 100 CISO to tell me they have to go somewhere else because they’re not taken seriously,” Deidre Diamond, Founder and CEO of the job placement firm CyberSN told Cyberscoop.
Budgeting toward physical security, continuity of operations, crisis management and authorizing forensic data analysis, as well as an incident response contract prior to a breach, goes a long way toward proving to a CISO that data protection actually is a priority.
“If a company isn’t focused on the right things and people aren’t buying in then…we’ve seen examples where there needs to be a scapegoat, and the CISO rarely survives that,” Chris Braden, Vice President of Global Channels at eSentire, a managed response vendor which authored a white paper on the topic told Cyberscoop.
“The number of people who are still talking about Target or Starwood or Equifax, those conversations aren’t going away as soon as those brands would like, and there is some risk for that for the CISO,” he added.
How hiring is impacted.
The Cyberscoop article points out that the salary and culture dynamics result in a rush of applicants for top positions while other opportunities are unexplored.
At a large firm, there might be as many as 12 security-related positions beneath the CISO with job titles like an information security officer, information security manager, threat hunters, engineers and then, at the entry level, a security analyst. That plays out in different ways throughout the private sector — Wells Fargo has 3,000 security staffers while Starbucks has 62 — but a lack of positions sends an implicit message to potential candidates that there’s limited room for growth.
The article adds that a reluctance to spend money also becomes an issue in other ways, such as when companies offer jobs to candidates who live outside of a major metropolitan area. Instead of offering higher salaries, many firms offer a lower salary and justify it by saying the cost of living in a smaller city is lower than in tech hubs like San Francisco or New York, says CyberSN’s Diamond.
Companies don’t want to spend on security, so they’re getting people to do three jobs in one, but you’re not going to retain people because there is a high demand and there are other places they can go.
The Cyberscoop article points out that even if top security executives flock to larger companies with higher budgets and more opportunities for advancement, mid-market firms still need to find ways to protect themselves. The choice is to either outsource to a consultancy firm, hire a security operations center or get creative. Emphasizing vacation time, internal training, remote work, flexible hours and a focus on quality of life all are possibilities, the Forrester report notes.
Instead of relying on hiring managers who view information security roles only as an offshoot of traditional IT, some security bosses are experimenting with new avenues to find highly skilled personnel. Jim Motes, chief information security officer at GameStop, has been working with a Texas nonprofit that aims to start autistic adults in security monitoring.
The article adds that, by training autistic people to recognize patterns and flag anomalies, Motes believes GameStop can tap into a new talent pool while students can improve their earning potential. He is even exploring using that talent to build a security operations center for the company.
“We’re all a bit quirky, and companies that look only for people in a certain mold miss out on a lot of security talent,” Motes told Cyberscoop. “I had a guy once [on the Autism spectrum], he saw code fly across the screen and could immediately see it wasn’t normal. It turned out to be a breach of customer information.”
The idea of abandoning traditional requirements like industry certifications and college degrees is gaining steam. Instead, analysts are advising clients to identify candidates that demonstrate an interest in security and willingness to learn the issues.
“Organizations are using virtual sandbox scenarios and giving them hypothetical situations and letting them solve problems on their own,” Chase Cunningham, the Forrester analyst told Cyberscoop. “Look, I joined the Navy as a diesel mechanic and now cybersecurity is my thing…We have a lack of talent that’s available, but there’s also talent that’s just not apparent.”
Break and fix.
A recently published Forbes article pointed to the fact that solving the skills shortage when it comes to cyber crime wont be done in a classroom.
The way that cyber talent is taught – at university and during training – is no match for the evolving threat landscape. Static measurements of skills, such as certification and periodic training, cannot keep pace with new threats that even the savviest security teams are unfamiliar with. The barrage of 24-hour threat intelligence is increasingly disconnected from the skills of these security teams, meaning badly trained defenders are simplifying attackers’ jobs.
The author of the article pointed out that in his time at GCHQ I learnt that the best cyber talent is creative and curious; they develop by breaking things and thinking on their feet, not sitting in classrooms and learning passively. Unfortunately, this jars with traditional training methods, which is one of the factors contributing to an unnecessary talent drain.
“GTconsult has a specific approach when it comes to cyber security. We have a team of highly skilled individuals who have acquired their skills through formal training as well as on the job training dealing with some of the worst cases of cyber crime. Contact us today to let us show you how we can add value to your business,” says GTconsult Co-Founder and CEO, Bradley Geldenhuys.