Listen and subscribe to our new podcast! Tripwire’s cybersecurity podcast features 20-minute conversations with the people who protect people from cyber threats. Hosted by Tripwire’s VP of Product Management and Strategy, Tim Erlin, each episode brings on a new guest to explore the evolving threat landscape, technology trends, and cybersecurity best practices.
The following is an edited excerpt from a recent episode of Tripwire’s Cybersecurity Podcast.
Tim Erlin: Welcome everyone to the Tripwire Cybersecurity Podcast. I’m Tim Erlin, vice president of product management and strategy at Tripwire. Today, I’ve got two guests joining me. The first is Anthony Israel-Davis, a senior manager in our R&D research and development group. And I’ve also got Onyeka Jones, senior product manager responsible for our ExpertOps offering. Welcome.
A Historical Perspective of the Infosec Skills Gap
Today we’re going to talk about the skills gap. Tripwire did a survey recently around the topic. Did either of you want to talk about what the survey found?
Onyeka Jones: I will. We’ve done the skills gap survey for three years in a row now, and some trends were pretty consistent across all the years. But some things do change. What I found really interesting was that the survey showed how larger organizations are feeling the skills gap challenge much more acutely than smaller organizations do.
Anthony Israel-Davis: I see what you’re getting at, but I don’t know that the ever-evolving environment of information security changes all that much. Basic concepts like vulnerability management (VM), secure configuration management (SCM) and file integrity monitoring (FIM) are always going to be important. But staying on top of that is also going to be a bit of a challenge because attacks are becoming more sophisticated and prevalent.
TE: Yeah, I agree. If the data is telling us that folks are more concerned about staying on top of these capabilities, has something changed in the market? Or perhaps has something changed in the threat environment or for the organizations themselves?
OJ: I think it’s probably a combination of those.
If you take vulnerabilities, for example, there are so many vulnerability management solutions out there, but we’ve always told customers (and the research backs this up) that it’s not so much having a solution or a tool in place. It really is more about that holistic program of vulnerability management. And when we talk to customers, the challenge that at least I hear from our customers is “yes, we have the solution in place,” but it’s about getting the processes in place internally to really get the value from their solution.
We’re seeing in the trend that as the threat landscape increases and attackers become more sophisticated, organizations need to quickly change how they are responding to vulnerabilities.
How the Industry Is Doing in Addressing the Skills Gap
TE: I think that it’s common sense to say that technology doesn’t solve these problems. You need people process and technology. But we’re not following common sense. Most of our investment still tends to go towards technology. How much of a problem is that in the market?
AID: In the past, a lot of technology was driven by the need to check a box. Organizations didn’t need to understand how it worked, but their auditors needed them to see that they’re incorporated FIM, SCM and VM into their environments. But if they’re not doing anything about these fundamentals, they might check the box, but they’re not actually securing their environment. And I think now companies are recognizing that they need skilled people.
TE: I think it’s important to point out that there’s some conversation around whether there is really a skills gap or whether organizations are shutting people out with unrealistic expectations of qualifications, certifications and skillsets? How is it impacting the organization’s ability to hire capable people?
OJ: Yeah, I mean there are different perspectives on that. There is a perspective of people saying that the industry is screening out qualified applicants. But if you look at just the research that we conducted, it’s pretty consistent that even when these applicants are hired, organizations feel like the talent that they need extensive training.
AID: I agree. You do see those job postings that box out people, and that probably hurts the companies trying to recruit those. At the same time, you do need some level of qualification.
Hiring internally and training people is a valid approach. However, even that I think has the same challenges as the top level in that even when you hire somebody internally, you need to backfield that position. And as you mentioned in your introduction, the skills gap isn’t only in cybersecurity, although we’re feeling it fairly acutely here because of I think the specialty of the field. It’s everywhere. A great approach to fill those positions and build a bench is just shifting the problem to another part of the business. So, I think we should focus on that.
Addressing the Skills Gap Going Forward
TE: This brings us to the final topic for this conversation: what should organizations do about it? Onyeka, do you want to start it off?
OJ: We’ve seen organizations not just relying on someone that has all the qualifications but also taking people from other departments perhaps in and training them up. I’ve also seen organizations invest in internships and invest in automation just as a way of really scaling their operations.
TE: Anthony, anything that you would add to that?
AID: Sure. So the standard mantra for recruitment is to re-recruit. We train and then we retain that talent. So, I would say retention is going to be huge
Second, we should train people from an early age. It’s not a long-term solution for the company, but I think this is where governments actually can come and be involved to help people receive basic information security skills training early on.
Finally, there’s efficiency. That’s better, smarter tools. We talked about more people and training. And then, of course, we’ve got managed services.
I noticed in Tripwire’s survey that a large percentage of companies are willing to outsource their security. It’s just they don’t want to manage the tools. They don’t want to be administrators. They don’t want to have to pay for the technology or the infrastructure. They’re happy to have somebody else do that. And there are skilled teams that are able to do that, that bring technology. They bring platforms. They bring knowledge so that they can provide the information, and companies can consume that and do with it what makes sense for their business.
OJ: I think one of the things that most organizations can do is focus on security awareness. Security’s everyone’s job. So even though we are talking specifically about the skills gap as they affect the security team, I think organizations should also focus on security awareness.
TE: Good point. I want to close out with a question for each of you. Looking forward, do you think that in the coming year the skills gap problem is going to get worse or better?
OJ: I think that it would probably get better in the future.
I think we will see the tide turning as cybersecurity becomes much more important, not just to organizations but to governments. When we’re thinking about elections and the potential for cybersecurity, I’m expecting that we should see the government invest more in cybersecurity and funding and education and things like that. So, my expectation for the future I suppose is optimistic that we will the cyber skills gap challenge decrease.
TE: Anthony, what’s your perspective? Better or worse?
AID: I agree with Onyeka, but I think it’s a very long-term problem. It’s a challenge that we’re going to have for some time because there’s a cultural shift that needs to occur.
TE: That’ll do it for us today. Thank you, Onyeka Jones and Anthony Israel-Davis, for joining me today on today’s podcast, and thanks to everyone who is listening. Please join us for a future podcast.