“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself and, you will succumb in every battle.”
–Sun Tzu, “Attack by Stratagem” #18 Art of War
Cybersecurity media is awash with coverage of the hotly-debated “skills gap,” as evidenced by the significant difference between job openings and new hires. “There’s a persistent and growing gap between the number of jobs available and the number of hires,” said Business Insider last year, so while there are plenty of jobs available, there are not enough appropriately skilled workers.
In the world of security, we often hear the axiom that defenders must address all gaps while attackers only need to find one exploitable hole. This is arguably true across all security-relevant fields – not just in cyberspace but also in industrial technology, conflict zones, physical security, battlefields, privacy and economics, to name a few.
But computers, buildings, equipment and people don’t usually break themselves. Hacking tools, like weapons, aren’t dangerous by themselves; threats are realized when a human being picks up a tool and does harm with it.
The stark reality is what private sector cryptology security luminary Bruce Schneier was warning us about at least as far back as 2004. “Computer security is not a problem that technology can solve,” he said. “Security solutions have a technological component, but security is fundamentally a people problem.”
Security incidents most often result from the classic PEBKAC scenario (problem exists between keyboard and chair). Take the April 2015 hack of a French television station’s social media accounts, which was attributed to their broadcast of the accounts’ usernames and passwords on live TV.
The 2014 Cyber Security Intelligence Index reported human error as the source of 95 percent of security incidents. And when you add those with ill will into the formula, it becomes clear that as long as there are people, there will be security issues.
Given that technology alone will not solve our problems and that human error is a huge issue, what is the solution?
There isn’t one.
That is to say, there isn’t one ‘solution to security.’ Furthermore, ‘secure’ is impossible, as nothing will ever be free from risk of harm. No matter how robust, well-engineered and resilient technology is, there will always be threats. There will always be failures. There will always be risk.
Clearly, there is work to be done. Overworked cybersecurity professionals, practicing in typically resource-starved environments – “I need more time, money, and staff!” is a familiar refrain – are trying to head off the seemingly endless threats arrayed against them. Management reports a widespread skills gap stemming from a lack of qualified graduates, a reluctance to train employees, inadequate compensation, and a growing need for soft skills, according to CareerOneStop.
In classic military thinking, “the defensive form of war is in itself stronger than the offensive.” The tables are turned in cybersecurity battles largely due to the extreme complexity of modern networks and systems, giving a properly motivated and skilled attacker the advantage. The ‘attack surface’ is massive. There will always be successful cyber-attacks, making security skilled staff crucial and critically short.
Information Week recently reported that CISOs laid the blame for real-world security incidents on skills and personnel gaps in their staffs: “Nearly 55% say their existing cybersecurity teams are facing heavy workloads given the lack of manpower available such that 35% aren’t schooled enough in their security tools to successfully fulfill their jobs.”
Training is the traditional method utilized to acquire new and deeper skills, with vendor product training often forming a central pillar that supports a need for deep tool skills. Tripwire, for example, offers very highly rated role-specific training for Tripwire Enterprise administrators, security staff, and compliance officers. These virtual and traditional in-person classes deliver key IT change detection and compliance skills.
Several sources of vendor-neutral training are also available. Cybrary, for example, offers a myriad of free point skill courses and certifications. Security skills powerhouse SANS Institute’s Cyber Aces program makes IT generalist operating system, networking and system administration training available. Additionally, the U.S. Department of Defense serves a catalog of free, online, role-based cybersecurity training.
These training sources should help achieve the common success pattern SANS Institute identifies in its “Back to Basics: Focus on the First Six CIS Critical Security Controls” report, whereby skilled staff are properly leveraged with critical security control training and tools that automate core tasks.
But technical skills are not enough. A 2014 piece by IW said the following:
“Information security’s rise in prominence within companies is amplifying the need for soft skills alongside technical security depth” since cybersecurity pros are now commonly asked to speak to executives. “Even employees with deep technical security backgrounds must be able to explain advanced threats to a senior audience and drive investments in security.”
This very tall order cannot be adequately addressed with a simple solution. The vast majority of sources indicate that there is a major, complex skills gap and that training alone cannot solve it. Classical engineering-focused education plays a major role in developing higher thinking skills like critical analysis and research while also developing soft skills like public speaking, teamwork, and writing.
A major benefit of the explosion in government cybersecurity interest and funding is a veritable plethora of cybersecurity educational programs available, both online and traditional. Capitol Technology University, for example, offers several security-centric undergraduate (A.S., B.S., and certificate) and graduate programs (MS, DSc, and graduate certificate) that are increasingly hands-on.
The ultimate skills development solution would blend the core skills and critical thinking higher education specializes in with product and function skills delivered by hands-on training.
But not all sources agree there is a skills gap. TechCrunch’s “The STEM Skills Gap is Only as Real as the Purple Unicorn” says most IT leaders – 70 percent surveyed – blame a lack of skill as the key hindrance to candidate hireability, while only 25 percent of IT professionals cited a gap in skills for the lack of a job offer.
A major problem is faulty recruiting processes: “More than one-third of IT professionals are never given a reason why they didn’t advance.”
Kenneth Chestnut’s LinkedIn piece “Beware of the Purple Unicorn (with Wings) When Hiring” warns against recruitment geared toward looking only for the ideal candidate. Similarly, Rik Ferguson, VP for security research at Trend Micro, recently said there isn’t a cybersecurity skills gap. “You’re being conned,” said Ferguson. “There’s no such thing. It doesn’t exist.” He argues for better skills-oriented hiring practices to solve security challenges as opposed to paper qualifications.
Furthermore, many highly successful and skillful technicians and leaders argue training, education, and certifications aren’t necessary, as you can learn on your own and on the job and be successful. Forbes reported “6 Reasons Why You Don’t Need a Technical Degree to Excel in Tech.”
Regardless of one’s perspective on the skills gap, however, skill development will always be necessary. One of the most exciting and alluring aspects of technology work is the constant need for growth and personal development. The author’s argument is that while organizational and personal success are certainly achievable without formal training or education, experience has shown OJT and self-study to be much harder paths to success with a corresponding drop in success rates.