Sarah Clarke | Data Protection & Privacy, BH ConsultingThe primary blockages I see to recruitment and (more seriously) medium-term retention are lack of capacity to train in post, excessive expectations of discretionary hours, lack of flexibility in terms of both hours and remote working and poor role definition. There are too many ads looking for a wish list of responsibilities, specific technologies, years of experience, and qualifications. The former two are indicative of the way security is viewed and valued in the organisation. Often, training going down and discretionary hours going up is a quick and brutal effect of more general cost-cutting. Flexibility and remote working are about the nature of roles but also whether firms trust staff and put effort in to technically enable it. If they don't, they need to start because my anecdotal feedback is that it's a big draw...and a big red flag if ruled out on invalid grounds. Issues with role definition are a knottier problem. The industry as a whole is bad at analyzing what is required to do specific parts of the security job well and the kind of experience, education and capabilities needed to match that. That’s often the case because of interaction between multiple issues. When individuals or teams are working at over 100% capacity keeping more balls in the air than is reasonable, job analysis is less than an afterthought. Even if done, if things are really broken, it can rock the boat in ways the firm won't like. There are pockets of better practice (like the place where I work now) but only where senior sponsorship produces budget, time, and support for both analysis and outcomes, including a search for specialist recruiters who don't bleed out value by devolving search back down to an overenthusiastic checklist.
Stuart Coulson | Director, HiddenText LtdI believe the skills gap is a twofold issue. We can't hire, and we can't drink fast enough. Firstly, the amount of available people with an interest in our industry is growing. They're enthusiastic and passionate about our career; however, that is not good enough to pass the current HR processes, and as a result, candidates become despondent and take up other IT roles instead. Secondly, the myriad of technologies is such that training may only be relevant from one technology stack, and when a talented individual applies for other roles, they may find that the hiring company doesn't recognize the transferable skills that they can't put in a box. They don't hire the candidate, so companies need to go back to basics. Number one: don't look for the unicorns, or the 1 in 1000 people. Companies are currently discounting 999 other talented individuals who could grow into that company. Number two: don't advertise hyper specific requirements and job roles. Understand that the ideal candidate may not apply if they cannot tick all the boxes. Number three: instead of a keyword search, the HR team allows them to do basic filters but then be guided by the managers that will be looking after these people. Look for the transferable skills. Number four: instead of a full interview that can put off neuro-diverse candidates, consider putting in scenario- and/or competence-based tests that will then allow a candidate to demonstrate their passion and ability. Doing these will identify passionate talent who can actually do the job despite not necessarily ticking all the hyper specific boxes on the job advert.
Bob Covello | 20-Yr Tech Veteran & Infosec AnalystDo we have a skills gap? I think not. Conversely, I see the problem as more of a requirements glut. Every InfoSec job description is filled with every imaginable security wish rather than a true depiction of the job responsibilities. Unfortunately, this makes perfect sense. If you were to rescue a person who has been stranded and starving, they will want to eat everything. When you think of the short-staffed, overworked, overwrought security analysts, it’s no wonder that a job description looks more like a rescue plea than a service portrayal. I am usually more optimistic than this, but the mythical skills gap curse will not be broken until we as InfoSec professionals can better understand and articulate how to fill the necessary gaps rather than every imaginable gap.
Sandy Dunn | CISO, Blue Cross of IdahoMy experience, and what I hear from other CISOs, is the skills shortage is for seasoned cybersecurity professionals with advanced experience. The experience can either be advanced knowledge in a narrow area such as highly skilled red teaming experience or security architecture, or it can be of decent depth across broader areas of cybersecurity skills. The benefit of having a seasoned professional is that they are familiar with the challenges and complexities of merging business and cybersecurity. They have a rounded perspective of what can go wrong, and they know the impact if a “minor” change causes a cascading, catastrophic failure that causes financial impact to the business. In reality, and if we are generous with the timeline, cybersecurity as a major part of your role has only existed for the last 20 years. As a pervasive force that every online business must incorporate into its IT team, it’s really been around for only the last 10. So we are fighting for that same pool of experienced security professionals.
David Henderson | Sr. Systems Engineer, TripwireWithin the Cybersecurity sector, there is an increasingly larger skills gap between corporate needs and readily available qualified personnel. To qualify this, I see a more structured and target focused set of existing and emerging technologies in the marketplace with features that do not match well with potential new hires. This skills gap can be remediated through in-classroom and/or on-the-job training. However, that takes time. As a result, many corporations are reaching out through staffing agencies to look for personnel with proven specific skill sets that can be utilized immediately. In many cases, this is a hard reach.
Anthony Israel-Davis | Senior Manager of R&D, TripwireOutsourcing is great, but understand its limitations.
Neira Jones | Independent Advisor & International SpeakerI listened recently to what some of my infosec friends were debating lately. These people are very skilled individuals who are looking for jobs in the cybersecurity space or who are looking to hire some people. The points I gleaned from this recent conversation were:
- Those looking to hire were not making the job descriptions conducive enough for the roles they were expecting to hire for, so this would result in a mismatch of expectations and unhappy people in the long run.
- Salaries need to be commensurate, and this is not the case.
- When there are geographical differences in any country (such as in the UK, with the North & South divide), salaries will be much higher in economic centres (such as London). This means that people will be attracted to these areas. And this will invariably lead to a skills gap in those areas that cannot afford those salaries. And round we go again.
- If, say, you want to hire a CISO, and we all understand what that role needs to be. Don't ask them how "Hands on with Python" they are!
- Information/Cybersecurity is a vast field, and it is also a relatively young and rapidly evolving industry. We need to do better at promoting this fact. Should you choose to, you can work in infosec if you have a change management background, psychology, analytics, communications, etc. (This is not an exhaustive list. I should know!)
Irfahn Khimji | Country Manager, Canada, TripwireA lot of organizations are looking for folks who have multiple years of experience in technologies that have not been around for very long. The information security environment is evolving faster than most organizations can keep up with. I think the biggest thing a company can do is look to hire folks with transferable skills such as a passion for security, a curiosity to tinker with how things work, and outside-of-the-box thinking. This type of drive is hard to teach, so organizations should hire this type of talent when they find it and then teach the security skills. In order to do that, however, it requires that organizations invest heavily in keeping their teams trained up. This obviously takes away from office time, but it is essential to keeping teams up-to-date with the latest threats and trends.
David Lu | Security Researcher, TripwireAs a CS instructor, I help a lot of students navigate their first job search. One frustrating challenge is that employers who are willing and looking to hire and mentor new graduates have requirements in entry-level job postings that don’t match the experience that new grads typically have. If your entry-level job posting calls for “2-4 years of experience with Python” or “1-3 years of experience in a technical security role,” you’ll miss out on many bright, sincere candidates brimming with potential because they won’t apply to that ad. Remove any such hard requirements from job postings. The skills gap exists in part because we inadvertently discourage newcomers in many ways, and this is one of those ways. On a more substantive level, CS educators are overloaded. The enrollment rate for CS bachelor's programs in the United States has more than tripled since 2006, and the slope is increasing. This has created significant pressures on faculty workload, classroom and lab space as well as nonmajor access. As colleges and universities scramble to create and develop cybersecurity programs to meet demand, it may be worth remembering that college programs aim to produce well-rounded individuals with some foundational knowledge and strong learning skills. Most of them will not have job-ready skills. So, if you have the capability and capacity to mentor and let junior employees grow, it may be worth exploring candidates with non-traditional backgrounds.
Angus Macrae | CISSPThere is no substitute for experience, and despite the well-publicised shortage in people required to fill an ever-rising demand, that is often the hardest thing for someone trying to break into cybersecurity to attain. Hiring gatekeepers should therefore try and look beyond the obvious buzzwords such as particular job titles, certifications or formal education paths in their search criteria. Providing they are credible, those are all good things, but they are not the ‘be all and end all.’ Whilst certain specialist roles such as pentesting or forensics will require some non-negotiable hard skills, there is much to be said for people with a broader, varied technical knowledge, good problem-solving skills and a naturally questioning and inquisitive nature. First and foremost, security is a mindset and that isn’t something you can always reliably gauge from a CV or LinkedIn profile. Some level of technical grounding remains vital, however. I’m increasingly coming across people who claim to work in cybersecurity but ‘aren’t that technical,’ which is a bit like saying you’re a motor mechanic but you’re not that sure what’s under the bonnet. Whilst CISOs and senior-level managers should, of course, be operating at the business and board level rather than down in the technical weeds on a day-to-day basis, they will still need a reasonable level of contemporary technical understanding to make the right choices. https://www.youtube.com/watch?v=IVlfQRFd4l8&feature=youtu.be
Lori MacVittie | Principal Tech Evangelist, Office of the CTO, F5 Networks“Whether you think you can or you can’t, you’re right.” – Henry Ford. Some in the industry mention the “security skills gap” with doom resounding in their voice. Others, with dismissive tones. Is it just a perception? Or is it real? What matters is what practitioners believe; they have to put security into practice. If they believe they can’t, well, as Henry Ford told us, they’re right. When we asked practitioners in our annual research if there was a security gap or deficit in skills in their organization, 71% told us yes. Digging deeper, we find this deficit spans every facet of security from application security (54%) to network security (42%) to public cloud (33%) to compliance (27%). Security professionals believe there is a deficit across a broad set of security skills. That belief contributes to their ability to execute successfully on security strategies. Approaches that encourage collaboration and cross-functional teams such as DevOps can help reduce the impact of the skills deficit felt by practitioners. By working closely with those who have the right skills, others can benefit from their expertise in both execution and potentially close the gap.
Chloé Messdaghi | Vice President of Strategy, Point3 Security, Inc.There’s a big issue of diversity and inclusion today. When women are looking at jobs, they will apply only to jobs if they fit a hundred percent of the criteria. It’s a little bit different for men, who go for a job even if they meet 60 percent of the criteria. In return, women end up applying to 20 percent fewer jobs. Even when underrepresented persons apply and are fully qualified for that position, they don't get it today. The reason for that is that we have prejudices and biases that are still very much existent in InfoSec because they remain unchecked. We're not doing enough to change the situation, and in reality, what's going to keep on happening is this rotating door because we're not doing enough to promote inclusion. In order to change that. In order to change that situation, please reach out to organizations that work with underrepresented persons and that do whatever it takes to change the situation and make the field more welcoming for all people.
Alyssa Miller | Hacker & AppSec AdvocateSo, there's a lot of discussion in the cybersecurity community about this skills gap and the trouble that corporations are having in hiring skilled cybersecurity individuals. As we look at that problem, I think one of the key issues we’re seeing, and I hear is that our job descriptions are wildly unrealistic. (I see this all the time from my colleagues, and I've seen it in research I've done.) If you look at job descriptions that are out there today, you'll see things where entry-level positions are asking for a CISSP certification. Anybody who knows anything about knows that you need to have five years of experience to get certified. Other times, I've seen other things that just asked for either wild amounts of technology experience that no single one person could ever possibly obtain or simply impossible things like 12 years of AWS experience. Well, unless you're Jeff Bezos, you probably don't have that level of experience, so you know, I think that's one of the big barriers we have right now in the industry. We’re struggling with just getting job descriptions out there that are sensible and that attract the right people. The problem with this is that the longer these positions stay open, the more stress it places on the rest of our security teams. We see this as turnover, which is almost astronomical in the cybersecurity community. The average time on the job was two and a half years in the last study I saw. It's not because salaries aren’t high enough. It’s because people are getting burned out in their jobs, and they're leaving to go to non-cybersecurity jobs where they feel they have a better balance. So, the question is as follows: how do we continue to secure our systems when our teams are in these positions? The fact is we have to start looking internally. We have to start looking at which folks within our organization have a desire to expand their skills into security. We should start looking at how to develop those people, how to enable them, how to provide training and how to provide them with opportunities that show what they can do in security. It's a long road, and we’ve got a lot of work to do.
Gina Parshall | Resource Operations Manager of Professional Services, TripwireAs society is learning, the biggest barrier to entry and hiring into cybersecurity is that skillsets are constantly changing with every new vulnerability and maturity level. After years of struggling and seemingly always behind the eight ball, corporations are taking this gap into consideration and rethinking their strategies for conducting business. One way they are mitigating this is by moving to the cloud and adopting managed services. They are discovering that by allowing the experts in managed services to conduct their day-to-day business, it allows them to be more agile with training their employees and focusing their efforts on addressing the critical vulnerabilities they encounter.
Matt Pascucci | Sr. Cyber Security Manager, CCSIThe largest barrier of entry for employees is having the experience in multiple facets of security. We’ve seen many students come out of school with degrees in cyber but who don’t have experience in the technology they’re defending. I personally look for someone who has the desire and experience in the relevant technology before assuming that they’re experts in security. Right now, that’s the largest barrier of entry in the field. We recommended that a firm baseline of knowledge in the underlying technology be present in an applicant.
Kristen Poulos | VP and General Manager of Industrial Cybersecurity, TripwireThe word ‘skill’ relates to both the talent and the tools that are needed to achieve a desired outcome. When we speak of the cybersecurity industry’s “skills gap,” therefore, we imply these things aren’t abundant enough to overcome the threats that broadly affect organizations. But I think it’s more complicated than that.
Zoë Rose | Cyber Security Specialist and Ethical HackerWhen I started within the technology industry over 10 years ago, I actually transitioned internally from a personal tax assistant/administrative role to IT Manager role. I didn’t have a massive challenge doing this, as all the experience I had with the company previously was beneficial in the new role, and there was a pre-existing relationship between myself and my managers. I was primarily self-taught through hands-on experience, YouTube instructional videos, and reading. After a few years, I decided to get a formal education at college. Unfortunately, in leaving college, I discovered there were a few challenges with being from a different background than the expected applicant. However, I was able to bypass this issue by starting my own company. Following this, I moved to the United Kingdom and then to Ireland. Now, after more than 10 years of experience with owning a company and working in three different countries, I still struggle with job hunting, especially for senior roles and highly technical positions. Even today, I still receive comments on how I don’t look like what they expect or don’t appear old enough, etc. However, I have learned that applying to companies with persons I know vs. applying from online listings is more effective. Based on my own experience and the experiences of those whom I have mentored and/or reviewed, I can say the following:
- Many companies are looking for a specific person. In doing so, the interviewer might lack knowledge of what the organization actually needs in terms of cybersecurity.
- Unfortunately, there is little-to-no training provided for interviewers. I have had great first interviews but then second interviews where the person was only interested in hiring someone skilled like themselves (Stop hiring in your own image.) and talking about how great a technology I’d never used was. This technology was not a requirement for the role directly, mind you, and they ignored my responses to similar but not directly related work.
- Interviewers are rarely required to attend formal unconscious bias training.
- Applicants with limited experience often struggle with putting their theoretical knowledge into context for the interview.
Nick Santora | CEO, CurriculaI think one of the biggest barriers to entry and hiring for security positions is that there are not enough entry-level positions. In a sales career, typically college grads start out in sales development roles. These are entry-level roles designed to teach the foundations of the sales process and help them gain interest in prospects for the sales team to work with. Most companies are so far behind on security investments that they want to hire the best and brightest, which is a given. But those employees get burned out quickly, leaving the company struggling for talent instead of building their own pipeline.