The Experts' Guide on Tackling the Cybersecurity Skills Gap

The skills gap is weighing heavily on the minds of digital security team members. In a survey of 342 security professionals, Tripwire found that 83% of infosec personnel felt more overworked in 2020 than they did a year earlier. An even greater percentage (85%) stated that it had become more difficult for their organizations to hire skilled security professionals since then. Given this finding, we at The State of Security asked security experts to identify the biggest barrier to entry and hiring into digital security. We then asked them to share their thoughts on how companies could work to overcome those issues. Their responses are presented below.

Sarah Clarke | Data Protection & Privacy, BH Consulting

The primary blockages I see to recruitment and (more seriously) medium-term retention are lack of capacity to train in post, excessive expectations of discretionary hours, lack of flexibility in terms of both hours and remote working and poor role definition. There are too many ads looking for a wish list of responsibilities, specific technologies, years of experience, and qualifications. The former two are indicative of the way security is viewed and valued in the organisation. Often, training going down and discretionary hours going up is a quick and brutal effect of more general cost-cutting. Flexibility and remote working are about the nature of roles but also whether firms trust staff and put effort in to technically enable it. If they don't, they need to start because my anecdotal feedback is that it's a big draw...and a big red flag if ruled out on invalid grounds. Issues with role definition are a knottier problem. The industry as a whole is bad at analyzing what is required to do specific parts of the security job well and the kind of experience, education and capabilities needed to match that. That’s often the case because of interaction between multiple issues. When individuals or teams are working at over 100% capacity keeping more balls in the air than is reasonable, job analysis is less than an afterthought. Even if done, if things are really broken, it can rock the boat in ways the firm won't like. There are pockets of better practice (like the place where I work now) but only where senior sponsorship produces budget, time, and support for both analysis and outcomes, including a search for specialist recruiters who don't bleed out value by devolving search back down to an overenthusiastic checklist.

Stuart Coulson | Director, HiddenText Ltd

I believe the skills gap is a twofold issue. We can't hire, and we can't drink fast enough. Firstly, the amount of available people with an interest in our industry is growing. They're enthusiastic and passionate about our career; however, that is not good enough to pass the current HR processes, and as a result, candidates become despondent and take up other IT roles instead. Secondly, the myriad of technologies is such that training may only be relevant from one technology stack, and when a talented individual applies for other roles, they may find that the hiring company doesn't recognize the transferable skills that they can't put in a box. They don't hire the candidate, so companies need to go back to basics. Number one: don't look for the unicorns, or the 1 in 1000 people. Companies are currently discounting 999 other talented individuals who could grow into that company. Number two: don't advertise hyper specific requirements and job roles. Understand that the ideal candidate may not apply if they cannot tick all the boxes. Number three: instead of a keyword search, the HR team allows them to do basic filters but then be guided by the managers that will be looking after these people. Look for the transferable skills. Number four: instead of a full interview that can put off neuro-diverse candidates, consider putting in scenario- and/or competence-based tests that will then allow a candidate to demonstrate their passion and ability. Doing these will identify passionate talent who can actually do the job despite not necessarily ticking all the hyper specific boxes on the job advert.

Bob Covello | 20-Yr Tech Veteran & Infosec Analyst

Do we have a skills gap? I think not. Conversely, I see the problem as more of a requirements glut. Every InfoSec job description is filled with every imaginable security wish rather than a true depiction of the job responsibilities. Unfortunately, this makes perfect sense. If you were to rescue a person who has been stranded and starving, they will want to eat everything. When you think of the short-staffed, overworked, overwrought security analysts, it’s no wonder that a job description looks more like a rescue plea than a service portrayal. I am usually more optimistic than this, but the mythical skills gap curse will not be broken until we as InfoSec professionals can better understand and articulate how to fill the necessary gaps rather than every imaginable gap. 

Sandy Dunn | CISO, Blue Cross of Idaho

My experience, and what I hear from other CISOs, is the skills shortage is for seasoned cybersecurity professionals with advanced experience. The experience can either be advanced knowledge in a narrow area such as highly skilled red teaming experience or security architecture, or it can be of decent depth across broader areas of cybersecurity skills. The benefit of having a seasoned professional is that they are familiar with the challenges and complexities of merging business and cybersecurity. They have a rounded perspective of what can go wrong, and they know the impact if a “minor” change causes a cascading, catastrophic failure that causes financial impact to the business. In reality, and if we are generous with the timeline, cybersecurity as a major part of your role has only existed for the last 20 years. As a pervasive force that every online business must incorporate into its IT team, it’s really been around for only the last 10. So we are fighting for that same pool of experienced security professionals.

Image

Most colleges recognize the opportunity and are building out their cybersecurity programs, but as good as many of them are, you can’t substitute education for experience. I work with our local college, and I have found there is a disconnect in the type of individual I need and the skills of the students who are graduating from their cybersecurity program. I think they are finding this in other organizations as well since the school administrators have discussed the challenges they have had placing students from their program. They lack good communication skills, proper understanding of security architecture, awareness of risk as a discipline, project management knowledge, and critical thinking skills. I have been a guest speaker at the college and at other events, and every young bright-eyed person who seeks me out to discuss their career is excited about red teaming. My guidance is to focus on other cybersecurity roles.  There are many pen testers, and honestly, I have people with red teaming skills, but the need for them is limited. Red teamers are my sanity to check to confirm everyone else did their job well. I need builders, defenders, risk people, architects, and people who understand IT security audits. It’s not a surprise that college kids believe the only role available in cybersecurity is red teaming. It’s the role in the news and in the movies. I think the solution is for cyber security professionals, people like myself who are part of the hiring and managing cybersecurity teams, to embed ourselves in the college curriculum and partner with college educators to influence the skills required in a cybersecurity program. The other solution that I have used is identifying people with good business acumen and then building out their cybersecurity knowledge. Balancing cybersecurity and having a successful relationship between cybersecurity and the business is so critical that it’s almost easier to educate them on cybersecurity then to educate cybersecurity people how to think from the business perspective. 

David Henderson | Sr. Systems Engineer, Tripwire

Within the Cybersecurity sector, there is an increasingly larger skills gap between corporate needs and readily available qualified personnel. To qualify this, I see a more structured and target focused set of existing and emerging technologies in the marketplace with features that do not match well with potential new hires. This skills gap can be remediated through in-classroom and/or on-the-job training. However, that takes time. As a result, many corporations are reaching out through staffing agencies to look for personnel with proven specific skill sets that can be utilized immediately. In many cases, this is a hard reach. 

Anthony Israel-Davis | Senior Manager of R&D, Tripwire

Outsourcing is great, but understand its limitations. Outsourcing to a managed service is a great solution to the skills gap and solves one part of the equation, which is finding and hiring qualified personnel that you can afford. While it helps solve the problem, however, it comes with its own costs. First, it’s rare to find a one-stop-shop for all infosec needs, so you’re likely augmenting internal staff with a specific need to maintain a subset of controls. Next, the services you are receiving need to be consumable. This will help whoever is responsible for information risk within the organization to use those to make appropriate business decisions. Finally, outsourcing distributes the security responsibility and risk. It’s critical to have clarity around the expectations and responsibilities of the third party both to ensure the expected services are delivered and to manage through any incidents that occur. A managed service can be a legal liability or a valuable partner, so it’s important to get it right upfront. Is it a skills gap or a people gap? When we talk about the skills gap, are we talking about needing people who already have the skills or having people who need to learn the skills? I believe security is everybody’s responsibility, and while there is definitely a set of very specialized skills that are needed usually around specific technologies and practices, many controls can be managed by staff already in the organization. Building a track for infosec training and development internally not only builds out a strong bench; it also keeps employees engaged and motivated while building a culture of information security. In a high-demand market, building internally is a key piece in the skills gap puzzle. And don’t forget security awareness training. A company full of security-minded people is more effective than a small team struggling to shoulder the burden of securing an entire company.

Neira Jones | Independent Advisor & International Speaker

I listened recently to what some of my infosec friends were debating lately. These people are very skilled individuals who are looking for jobs in the cybersecurity space or who are looking to hire some people. The points I gleaned from this recent conversation were:

1. Those looking to hire were not making the job descriptions conducive enough for the roles they were expecting to hire for, so this would result in a mismatch of expectations and unhappy people in the long run.
2. Salaries need to be commensurate, and this is not the case.
3. When there are geographical differences in any country (such as in the UK, with the North & South divide), salaries will be much higher in economic centres (such as London). This means that people will be attracted to these areas. And this will invariably lead to a skills gap in those areas that cannot afford those salaries. And round we go again.
4. If, say, you want to hire a CISO, and we all understand what that role needs to be. Don't ask them how "Hands on with Python" they are!
5. Information/Cybersecurity is a vast field, and it is also a relatively young and rapidly evolving industry. We need to do better at promoting this fact. Should you choose to, you can work in infosec if you have a change management background, psychology, analytics, communications, etc. (This is not an exhaustive list. I should know!)

Irfahn Khimji | Country Manager, Canada, Tripwire

A lot of organizations are looking for folks who have multiple years of experience in technologies that have not been around for very long. The information security environment is evolving faster than most organizations can keep up with. I think the biggest thing a company can do is look to hire folks with transferable skills such as a passion for security, a curiosity to tinker with how things work, and outside-of-the-box thinking. This type of drive is hard to teach, so organizations should hire this type of talent when they find it and then teach the security skills. In order to do that, however, it requires that organizations invest heavily in keeping their teams trained up. This obviously takes away from office time, but it is essential to keeping teams up-to-date with the latest threats and trends. 

David Lu | Security Researcher, Tripwire

As a CS instructor, I help a lot of students navigate their first job search. One frustrating challenge is that employers who are willing and looking to hire and mentor new graduates have requirements in entry-level job postings that don’t match the experience that new grads typically have. If your entry-level job posting calls for “2-4 years of experience with Python” or “1-3 years of experience in a technical security role,” you’ll miss out on many bright, sincere candidates brimming with potential because they won’t apply to that ad. Remove any such hard requirements from job postings. The skills gap exists in part because we inadvertently discourage newcomers in many ways, and this is one of those ways. On a more substantive level, CS educators are overloaded. The enrollment rate for CS bachelor's programs in the United States has more than tripled since 2006, and the slope is increasing. This has created significant pressures on faculty workload, classroom and lab space as well as nonmajor access. As colleges and universities scramble to create and develop cybersecurity programs to meet demand, it may be worth remembering that college programs aim to produce well-rounded individuals with some foundational knowledge and strong learning skills. Most of them will not have job-ready skills. So, if you have the capability and capacity to mentor and let junior employees grow, it may be worth exploring candidates with non-traditional backgrounds.

Angus Macrae | CISSP

There is no substitute for experience, and despite the well-publicised shortage in people required to fill an ever-rising demand, that is often the hardest thing for someone trying to break into cybersecurity to attain. Hiring gatekeepers should therefore try and look beyond the obvious buzzwords such as particular job titles, certifications or formal education paths in their search criteria. Providing they are credible, those are all good things, but they are not the ‘be all and end all.’ Whilst certain specialist roles such as pentesting or forensics will require some non-negotiable hard skills, there is much to be said for people with a broader, varied technical knowledge, good problem-solving skills and a naturally questioning and inquisitive nature. First and foremost, security is a mindset and that isn’t something you can always reliably gauge from a CV or LinkedIn profile. Some level of technical grounding remains vital, however. I’m increasingly coming across people who claim to work in cybersecurity but ‘aren’t that technical,’ which is a bit like saying you’re a motor mechanic but you’re not that sure what’s under the bonnet. Whilst CISOs and senior-level managers should, of course, be operating at the business and board level rather than down in the technical weeds on a day-to-day basis, they will still need a reasonable level of contemporary technical understanding to make the right choices. https://www.youtube.com/watch?v=IVlfQRFd4l8&feature=youtu.be

Lori MacVittie | Principal Tech Evangelist, Office of the CTO, F5 Networks

“Whether you think you can or you can’t, you’re right.” – Henry Ford. Some in the industry mention the “security skills gap” with doom resounding in their voice. Others, with dismissive tones. Is it just a perception? Or is it real? What matters is what practitioners believe; they have to put security into practice. If they believe they can’t, well, as Henry Ford told us, they’re right. When we asked practitioners in our annual research if there was a security gap or deficit in skills in their organization, 71% told us yes. Digging deeper, we find this deficit spans every facet of security from application security (54%) to network security (42%) to public cloud (33%) to compliance (27%). Security professionals believe there is a deficit across a broad set of security skills. That belief contributes to their ability to execute successfully on security strategies. Approaches that encourage collaboration and cross-functional teams such as DevOps can help reduce the impact of the skills deficit felt by practitioners. By working closely with those who have the right skills, others can benefit from their expertise in both execution and potentially close the gap.

Chloé Messdaghi | Vice President of Strategy, Point3 Security, Inc.

There’s a big issue of diversity and inclusion today. When women are looking at jobs, they will apply only to jobs if they fit a hundred percent of the criteria. It’s a little bit different for men, who go for a job even if they meet 60 percent of the criteria. In return, women end up applying to 20 percent fewer jobs. Even when underrepresented persons apply and are fully qualified for that position, they don't get it today. The reason for that is that we have prejudices and biases that are still very much existent in InfoSec because they remain unchecked. We're not doing enough to change the situation, and in reality, what's going to keep on happening is this rotating door because we're not doing enough to promote inclusion. In order to change that. In order to change that situation, please reach out to organizations that work with underrepresented persons and that do whatever it takes to change the situation and make the field more welcoming for all people.

Alyssa Miller | Hacker & AppSec Advocate

So, there's a lot of discussion in the cybersecurity community about this skills gap and the trouble that corporations are having in hiring skilled cybersecurity individuals. As we look at that problem, I think one of the key issues we’re seeing, and I hear is that our job descriptions are wildly unrealistic. (I see this all the time from my colleagues, and I've seen it in research I've done.) If you look at job descriptions that are out there today, you'll see things where entry-level positions are asking for a CISSP certification. Anybody who knows anything about knows that you need to have five years of experience to get certified. Other times, I've seen other things that just asked for either wild amounts of technology experience that no single one person could ever possibly obtain or simply impossible things like 12 years of AWS experience. Well, unless you're Jeff Bezos, you probably don't have that level of experience, so you know, I think that's one of the big barriers we have right now in the industry. We’re struggling with just getting job descriptions out there that are sensible and that attract the right people. The problem with this is that the longer these positions stay open, the more stress it places on the rest of our security teams. We see this as turnover, which is almost astronomical in the cybersecurity community. The average time on the job was two and a half years in the last study I saw. It's not because salaries aren’t high enough. It’s because people are getting burned out in their jobs, and they're leaving to go to non-cybersecurity jobs where they feel they have a better balance. So, the question is as follows: how do we continue to secure our systems when our teams are in these positions? The fact is we have to start looking internally. We have to start looking at which folks within our organization have a desire to expand their skills into security. We should start looking at how to develop those people, how to enable them, how to provide training and how to provide them with opportunities that show what they can do in security. It's a long road, and we’ve got a lot of work to do.

Gina Parshall | Resource Operations Manager of Professional Services, Tripwire

As society is learning, the biggest barrier to entry and hiring into cybersecurity is that skillsets are constantly changing with every new vulnerability and maturity level. After years of struggling and seemingly always behind the eight ball, corporations are taking this gap into consideration and rethinking their strategies for conducting business. One way they are mitigating this is by moving to the cloud and adopting managed services. They are discovering that by allowing the experts in managed services to conduct their day-to-day business, it allows them to be more agile with training their employees and focusing their efforts on addressing the critical vulnerabilities they encounter.

Matt Pascucci | Sr. Cyber Security Manager, CCSI

The largest barrier of entry for employees is having the experience in multiple facets of security. We’ve seen many students come out of school with degrees in cyber but who don’t have experience in the technology they’re defending. I personally look for someone who has the desire and experience in the relevant technology before assuming that they’re experts in security. Right now, that’s the largest barrier of entry in the field. We recommended that a firm baseline of knowledge in the underlying technology be present in an applicant.

Kristen Poulos | VP and General Manager of Industrial Cybersecurity, Tripwire

The word ‘skill’ relates to both the talent and the tools that are needed to achieve a desired outcome. When we speak of the cybersecurity industry’s “skills gap,” therefore, we imply these things aren’t abundant enough to overcome the threats that broadly affect organizations. But I think it’s more complicated than that. Given the sheer volume of ethical hackers and well-intentioned people wanting to make a difference, I do believe there’s more talent available than acknowledged, especially for entry-level positions. By broadening requirements, companies can gain access to these pools of qualified (& eager!) resources. That said, there is a very real element to the skills gap, and we as an industry need to do more to encourage individuals to come forward to fill it. We can do this by better standardizing cybersecurity positions and career paths and also by partnering with local universities to continually expand curriculum and share knowledge.

Zoë Rose | Cyber Security Specialist and Ethical Hacker

When I started within the technology industry over 10 years ago, I actually transitioned internally from a personal tax assistant/administrative role to IT Manager role. I didn’t have a massive challenge doing this, as all the experience I had with the company previously was beneficial in the new role, and there was a pre-existing relationship between myself and my managers. I was primarily self-taught through hands-on experience, YouTube instructional videos, and reading. After a few years, I decided to get a formal education at college. Unfortunately, in leaving college, I discovered there were a few challenges with being from a different background than the expected applicant. However, I was able to bypass this issue by starting my own company. Following this, I moved to the United Kingdom and then to Ireland. Now, after more than 10 years of experience with owning a company and working in three different countries, I still struggle with job hunting, especially for senior roles and highly technical positions. Even today, I still receive comments on how I don’t look like what they expect or don’t appear old enough, etc. However, I have learned that applying to companies with persons I know vs. applying from online listings is more effective. Based on my own experience and the experiences of those whom I have mentored and/or reviewed, I can say the following:

• Many companies are looking for a specific person. In doing so, the interviewer might lack knowledge of what the organization actually needs in terms of cybersecurity.
• Unfortunately, there is little-to-no training provided for interviewers. I have had great first interviews but then second interviews where the person was only interested in hiring someone skilled like themselves (Stop hiring in your own image.) and talking about how great a technology I’d never used was. This technology was not a requirement for the role directly, mind you, and they ignored my responses to similar but not directly related work.
• Interviewers are rarely required to attend formal unconscious bias training.
• Applicants with limited experience often struggle with putting their theoretical knowledge into context for the interview.

The lack of clarity on how to effectively interview under-skilled interviewers/management, not to mention confusion on what a good security/technology person looks like, create an industry where only the cookie-cutter image passes inspection. This leads to massive gaps of capability, knowledge, and points of view in our industry, ultimately making the industry skills gap appear to be on the applicant’s side where it’s often actually in the organisation’s hiring and managing process.

Nick Santora | CEO, Curricula

I think one of the biggest barriers to entry and hiring for security positions is that there are not enough entry-level positions. In a sales career, typically college grads start out in sales development roles. These are entry-level roles designed to teach the foundations of the sales process and help them gain interest in prospects for the sales team to work with. Most companies are so far behind on security investments that they want to hire the best and brightest, which is a given. But those employees get burned out quickly, leaving the company struggling for talent instead of building their own pipeline.

Maurice Uenuma | Vice President, Federal & Enterprise, Tripwire

Every available data source on this topic, whether it be surveys of cybersecurity professionals or a quantification of open job positions, confirms what we already know. And that is that there is a tremendous gap between supply and demand for cybersecurity professionals, particularly in a need for technical cybersecurity talent. There are a number of different initiatives underway globally to address the supply part of the problem, namely in the form of more robust formal educational opportunities, professional training and certifications as well as even competitions to identify and refine talent. However, any reasonable projection in the near future still suggests that the gap is not going to close anytime soon In the meantime, organizations can do a number of things to try to address the skills gap. Obviously, there are opportunities for increased investment in security automation as well as opportunities to outsource and consume services through externally provided managed services. One of the most important aspects of cybersecurity that touches on this problem, however, is that cybersecurity is inherently an interdisciplinary, cross-functional challenge. If we begin to view cybersecurity as directly related to the central nervous system of an organization, the critical infrastructure that ties together all the parts of the organization that both receives sensory input as well as provides guidance back out to its many parts and communicates with the outside world and to its many partners and suppliers, we can then realize in fact that this touches on much more than just the IT department with some help from the HR department. When we realize the cross-functional and interdisciplinary nature of the problem, we can begin to engage all parts of the organization with leaders from legal and finance to IT and operations to sales and marketing. Every part of the business manages sensitive data and information and has an influence in the type of systems and tools that are used to perform many functions. If we can keep that in mind, then we begin to engage other people in the problem, whether they be legal and finance professionals who are tied to compliance and auto requirements or sales and marketing professionals who handle sensitive partners’ and customers’ sensitive information. In recognizing all of this, we can begin to address not just the supply part of the problem but also actually the demand side of it, meaning the organizations that need cybersecurity in the first place can begin to leverage a broader set of resources amongst a broader number of people who are already working there to begin to secure the data in the systems upon which the organization relies and which are so critical to achieving a higher state of cybersecurity.   Do you have additional thoughts on how organizations can work to overcome the ongoing skills gap? If so, please reach out to us on Twitter.