Take a glance on social media on any given day, and we'll hear from commentators stating how there is a (cyber) skills gap and that it must be addressed if we are to meet the challenges we are all increasingly facing.
Let's be clear about something before we continue. If we are saying that there is a skills gap, then there are organizations out there that are ready to hire cybersecurity professionals now. The assumption is that these professionals don't have the right skills that the organizations are looking for.
But how true is this?
Life and Times of Cybersecurity Professionals
The Information Systems Security Association International (ISSA) interviewed 489 cybersecurity professionals to get their views on the issues related to the cyber skills gap. ISSA then published their responses in The Life and Times of Cybersecurity Professionals 2021.
In summary, the report findings were that a more holistic approach to continuous cybersecurity education is required to address the skills shortage. This should start in public education and extend into comprehensive career development, mapping, and planning strategy, functions which would be supported and integrated within the business.
Of course, this is not going to happen overnight if it is even possible. However, the research goes on to say that one seemingly simple change organizations can make is to increase salary and compensation for cybersecurity professionals.
But is this likely to happen without changes within the cybersecurity sector itself?
The truth is, I believe there are two problems we need to address before we can close this perceived skills gap. Indeed, I don't feel there is a cybersecurity skills gap at all. At least not the kind that most people think of. I believe there are fundamental misunderstandings and appreciation of what cybersecurity is. There is a communications gap, not a cybersecurity skills gap.
Cybersecurity: A Business Perspective
Let's start with those outside our industry. When organizations hire cybersecurity professionals, they need to be clear about what problem they are trying to solve and then hire appropriately. If the answer is to increase the compensation offered to cybersecurity professionals, as the ISSA report suggests, then the organization needs to know what value they're going to get. Recruiters also need to do more work here to understand the cybersecurity profession because, based on personal experience, they don't. I recall speaking to a recruiter in 2018 who was looking for data protection specialists with "five years experience in GDPR.". How it's possible to gain five years of experience in a regulation that had only been introduced two years before this is anyone's guess!
We know that gaining support for cybersecurity at the Board table has been a struggle for many years. This issue of obtaining buy-in from the top extends into hiring people into roles where the immediate benefit is not observed. Businesses need to recognize that (dependent upon the job title), the role of the cybersecurity professional is mostly preventative. Unfortunately, the perception from the business is that cybersecurity is a cost-center as well as a cost that can be delayed indefinitely.
Linked to this is the cost associated with the continual improvement and up-skilling of the cybersecurity professional. Training and professional education for cybersecurity professionals is often vastly more expensive than other forms of training. It also never stops. What skills, tools, and techniques you are using now may be obsolete in two years (or less).
One solution to this problem is to invest in outsourcing the need for cybersecurity to organizations that offer fully managed services. This places the burden of hiring, training, and retaining cybersecurity professionals on organizations who are better equipped to provide these services.
From a business perspective, there is no cybersecurity skills gap. There is only a gap between expectations (of the business) over the perceived value they receive. As cybersecurity professionals, I believe our role is to become better communicators, educate businesses on the value they will receive from cybersecurity, and help them understand what resources (human or technical) will help them most.
Cybersecurity: The Profession
I have long argued that cybersecurity is a profession and should be respected as such. If we (as professionals) can start to see ourselves as doctors and lawyers do, then I think we will begin to see some confusion in relation to the perceived skills gap.
Cybersecurity is multi-faceted, and each facet requires a different set of skills and knowledge if we are to be effective in this area. To be successful in this field, I believe there are core skills and knowledge that individuals must develop either through formal training or self-development.
Many universities now offer formal degrees in cybersecurity. This is not to say these are not of value, but there is more to life than university. For example, I know many university graduates who have never encountered the Cybersecurity Book of Knowledge (CyBok). CyBok is a guide that codifies information that already exists in literature such as textbooks, academic research articles, technical reports, white papers, and standards, bringing together a single resource for practitioners to review and develop their knowledge.
Click here for more information about CyBok.
CyBok, of course, is not the only way we can develop in this field. A professional can acquire a vast array of certifications and badges if they have the time and the (vast) budget to undertake the courses and exams.
Amongst the many to choose from, there are a few stand out certifications which many organizations are looking for. These include the following:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Management (CISM)
- Certified Information Security Auditor (CISA)
- Certified Ethical Hacker (CEH)
There are a multitude of others to look at once you get into vendor-specific technologies such as Amazon Web Services, Microsoft Azure, and even more when looking at governance and data protection.
This once again leaves professionals (especially 'noobs') wondering which path to take, and ultimately, it leaves them with gaps in their knowledge. For this reason, I no longer chase these badges but prefer to extend my network and learn from those around me. I prefer to gain practical experience from peers and mentors instead.
This is one of the reasons I joined the Chartered Institute of Information Security (CIISec). The institute was launched in 2006 to raise the standard of professionalism in information and cyber security. As an independent not-for-profit body governed by its members, CIISec provides a focal point for the information cyber security profession. The aim is to develop standards of professionalism for training, qualifications, operating practices, and individuals.
CIISec has a growing membership that represents over 10,000 individuals in the information and cyber security industry. It has a structured learning and development plan from entry-level through to 'Fellow' membership.
To develop ourselves within this profession, we need to recognize that we must go beyond 'badge collecting' as well as develop our networks and associations with like-minded professionals so that we can learn from each other. The ISSA report referenced earlier highlights the need for cybersecurity professionals to develop a mix of hands-on experience, basic certifications, and networking. Networking doesn't refer to technical knowledge but to the fact that professionals need to be connecting within and without their own industries and sector.
The cybersecurity skills gap for professionals is that we need to move out of our comfort zones and engage with the broader topic of cybersecurity. As professionals, we need to understand what the business wants and needs and learn some of those 'soft' skills that seem to be so hard to develop. Namely, we need to close the communications gap and work on our own marketing strategy.
In 2020, the UK Government was roundly criticized for an advertising campaign that depicted a ballet dancer (called Fatima) claiming "Fatimas next job could be in cyber. She just doesn't know it yet."
Of course, the ad went down as one might expect – badly! But what does this tell us about attitudes towards the cybersecurity industry? I believe it tells us a lot, and we need to start paying attention.
Businesses need to appreciate the value that cybersecurity brings even if they don't immediately see or feel it. If they don't want to hire their own teams, then outsource it to a managed service provider who can take on the responsibility for you. Cybersecurity professionals also need to appreciate that businesses won't immediately see them as a valued asset. We need to change our approach to communicating the necessity in what we do, not by terrifying them with stories and statistics but by becoming better communicators of the value we bring.
To put it simply there is no cybersecurity skills gap. Just a gap in communication.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.