An independent guest blogger wrote this blog.
If you do a web search for "cybersecurity skills gap," you'll get many, many pages of results. It's certainly a hot topic in our industry. And it's a matter that security practitioners and human resources people often disagree on.
But before I get further into the matter, it would help to know what it is we're talking about when we use the phrase "cybersecurity skills gap."
From the perspective of employers, it means that potential job applicants don't have the specific cybersecurity skills they're looking for, and possibly the people they already employ don't have the skills to be promoted into new cybersecurity related positions. This can be a really tricky area, because computer technology evolves very quickly, and often universities, colleges, and vocational schools cannot change their curriculum at the same speed. Accordingly, the cyber threat landscape can change quickly too!
From the perspective of many job seekers and security people, including myself and many of my colleagues I've spoken with, the phrase "cybersecurity skills gap" can sound like a taunt. Some of us have spent years in computer science programs, and many more years in IT courses and acquiring industry specific certifications. So we don't have a particular niche certification or ten years experience with Windows Server 2016. We have loads of related knowhow, and we match many of the other job requirements, why won't employers give us a chance and let us learn the rest? A few others have had a knack for computing since childhood, but the expense of college tuition and certification exams can seem insurmountable when you're just starting out and have little money. How do we get our foot in the door in the first place when you need experience for a job, but you can't get experience until you get a job?
The cybersecurity skills gap phenomenon can hurt people in the industry who want good jobs, but it hurts companies and the security of their networks even more. According to the 2018 (ISC)² Cybersecurity Workforce Study, more than 2.9 million cybersecurity related job positions worldwide were unfilled. In the time that's passed, that number likely grew. These are positions spanning a wide range of roles, from SOC analysts to DFIR, from penetration testers to application security specialists. Not having people work in these positions that organizations have recognized as needs inevitably weakens cybersecurity everywhere, and companies lose huge amounts of money in cyber attacks and data breaches.
I have my own personal views on the matter. But cybersecurity people on Twitter also talk a lot about unrealistic job posting expectations and their impact on the skills gap.
Shawn Thomas is a SOC manager. He tweeted about his exasperation with job posting requirements.
"If your entry level job in infosec requires:
At least 3 certs
Prefers two years of experience.
YOU ARE NOT ALLOWED TO COMPLAIN THAT ITS HARD TO FIND CANDIDATES
Additionally the discouragement students have when they hear that should make you feel bad about yourselves."
I also have an industry friend who has done a lot of her own research into the skills gap matter. Plus she has experience hiring for cybersecurity roles, experience that I lack. Alyssa Miller is a security evangelist and hacker, and she shares her knowledge at so many security conferences that it'd overwhelm me to do the same. She has written many posts on her blog about the skills gap, so I wanted to learn a bit from her.
She recognizes many factors in the skills gap problem, ranging from unrealistic job posting requirements ("Must have a CISSP, a Master's in Computer Science, and ten years experience with Metasploit Framework 5.0. An entry level role, salary $40,000 per year."), to interviewers' prejudice against body piercings and tattoos (of which I have many). But I wondered if a corporate reluctance to spend time and money on training may be a factor too.
She said, "I absolutely think companies are reluctant to invest in training people and it definitely is a contributing factor to the skills gap. Over the last few decades, budgets for training have been one of those easily leveraged pools of money that takes an early hit when cost cutting is needed. Additionally, some organizations seem to be afraid that if they pay to train their people, those people will be worth more in the open market and will leave the company, nullifying their investment. What they fail to see is that by investing in those people and showing that they value them, that actually encourages them to stay."
I hope an HR manager is reading this! Ping-pong tables may be nice, but providing your employees with specific training so they can take on roles with greater responsibility within your organization is much nicer.
Interviewers also need to broaden their idea of what a good security practitioner looks like. They could physically look like anyone! They could be a 40 year old white man in a Brooks Brothers suit, but they could also be a 20 year old multiracial woman in a wheelchair with purple hair and a wardrobe from Hot Topic. Conversely, you shouldn't be afraid to hire a 60 year old either. I asked Miller about a term frequently used in HR, "culture fit."
"There's a lot of bias in the hiring process and yes culture fit is one of them. Security and tech in general, thrive on diversity. More than that, we need it to truly advance and be better. Diversity of thoughts, experiences, ideas, backgrounds, it all helps create better technology and better solutions to problems. Culture fit is a term that gets overused and misapplied. As you pointed out, hiring managers who don't really understand how to develop culture or who are not well trained in evaluating talent will often default to finding someone who's like the people we have today and term it culture fit."
We'd like to have a positive impact on companies that hire cybersecurity people. So Miller has some advice for you.
"(My advice) first is investing in your people as we discussed, but not just the security team. Develop clear skills development plans that allow resources to transition from other non-security or even non-IT roles into security and then enable those plans. Second, you have to actively work to eliminate biases in your hiring. Not just along the lines of things like ethnicity, gender, and so forth, but things like appearance, experience, and so on. Be willing to hire the person with purple hair or a full sleeve tattoo. Artificially limiting your pool based on foolish criteria is always a bad idea. Finally, embrace remote working. I can't believe in 2020 we're still having this conversation but I'm amazed how many roles I see that still require a local in-office resource when the technology exists for people to do that job from a remote location. I've heard from hiring managers who are still afraid of how to manage remote people so they just don't allow it. That's wrong on so many levels."
I honestly believe that a lot of companies really do want to do something to help close the skills gap and improve the cybersecurity of their organizations by hiring more people. Millions of unfilled cybersecurity job roles hurts everyone involved-- people in the industry, people looking to get into the industry, businesses of all sizes in all industries, and everyone's security as a whole. Fortunately, this is a solvable problem. But it will take a lot of team work and a lot of mind opening.
But that's just my opinion and the opinion of many others in our industry.