There’s certainly no shortage of claims regarding the current shortfall of cybersecurity professionals. These findings show up repeatedly in our surveys, most recently the 2014 Global Information Security Survey and the 2013 State of the CSO, which both revealed that the demand for skilled IT security professionals continues to strain organizations' ability to fill security positions. Finding skilled information security workers was identified as one of the greatest challenges for 31 percent of large companies.
Interestingly, the Rand Corp. recently released a report in which the think tank said that it believes that the combined steps being taken currently by the government, private sector, and university training will help close the cybersecurity skills gap soon. The full report is here.
Talk of widespread gaps in skill demand and anticipated future information security job market balance are interesting, but what security pros need to know today is what skills they need to be honing to thrive in the years ahead.
With that question in mind, we reached out to more than a dozen practitioners, most whom are in a position to hire or contract security expertise. Our informal survey found that there seems to be an increase in the demand, at least in the private sector, for security pros who are as much, if not more, skilled in communications, business management, and explaining risk to executives in business terms.
“There will always be the need for technical skills within security, says Brian Honan, founder of Dublin, Ireland-based BH Consulting. “But in many enterprises these [positions] will be subsumed into operations or outsourced to vendors who specialize in those areas.” For this to be possible, Honan anticipates that much security automation is on the way, such as that we see in patch management, vulnerability management, and change control. “We will also see better automated solutions to automatically detect and react to threats,” Honan anticipates.
It remains to be seen whether we see that level of automation, or not, or if new complexities appear and manage to increase IT security professional workloads.
Regardless, security professionals need the right skills to survive in the years ahead:
- Get the big risk management picture. As more security capabilities are automated, and more risk is transferred to third parties and managed security services, security pros are going to need to be able to broadly define these risks to business leadership and provide the best solutions to meet that risk, help quantify the risks of different IT architectures to management, and provide guidance on the people, tools, and processes necessary to manage that risk. “To be able to successfully conduct such risk assessments, security professionals will have to develop other abilities – such as better communication, presentation, and business skills – so they can interact with senior business management and ensure that security requirements match those of the business,” says Honan.
- Data ninjas needed. The increased generation and use of enterprise data, the greater complexity of IT architectures, and the demand within enterprises to understand all of the security related data they are generating are all going to continue to drive the demand for security pros who can work with data scientists to be able to better pinpoint and respond to threats. “I am fully convinced that the cyber threat intelligence market will see explosive growth for at least the next decade. That means qualifications such as threat analytics, reverse engineers, and data forensics incident response (DFIR) specialists will be in high demand globally,” says Martin Dipo Zimmermann, CTO and cofounder of the Cyber Threat Intelligence Network.
- Be a collaborator, rather than a cowboy. Get ready to collaborate: As enterprise IT management moves toward more continuous deployment and continuous integration models, and more enterprises embrace DevOps, security professionals are going to need to collaborate more effectively and closely with operation teams, designers, developers, and lines of business.“I think we will see less of 'corner office' CISO's and more leadership with focus on Info-Sec as a team function,” says Zimmermann. “And it still must be capable of performing strong risk assessments, architecture, and analysis of network structures,” he adds. “So, no more paper tigers with certifications but no skills, and people who have grown from the administrative teams into security and know what they are talking about both in technical terms and when it comes to business interests.”
- Bring both techncial and business leadership chops. “I think that skillsets that are a combination of a broad technical foundation with some depth combined with strong business leadership and communications skills will be a must for CISOs to succeed. You can often find one or the other today. Finding both skillsets in a single person is the challenge,” says Jay Leek, CISO at The Blackstone Group. Zimmermann agrees. “They must excel in communication with upper management and convey challenges as risk management. But they also need strong understanding from a technically very low-level with hands-on networking skills,” he says.
- Be an enterprise IT polymath. While enterprise architectures may seem complex now – and they are compared to a decade ago, with hybrid public/private clouds and legacy architectures, and more devices generating and manipulating more data on more network connections – the complexity is really just starting to ramp up. Over the next five years, we’re going to see more connected devices with the IoT, more wearables, and generally just more devices that will be needed to be secured. “Now that the complexity is ramping up, it's not so much finding the discrete skills as it is finding people who can manage multiple disciplines in their head at one time,” says Zimmerman. “There is more need for multidimensional skills. So either one person can do multiple things, or lots of people are needed to each do one thing,” he says. “What we want are 30-year-old pen testers with people skills, forensics, and law – and that's just impossible. Very few people can accumulate that much diverse knowledge before they're 50,” says Honan. “What you cannot do is make someone a cyberwarrior without a foundation of some sort, barring the far right flyers on the bell curve. Some people just grok hacking. Most of us need a bit of guidance,” says Zimmerman.
No doubt. And while the future is bright for those with the right sets of skills, it’s likely to be quite dim for those who choose to stand still and not continuously train and grow their capabilities.