How security leaders need to fix the security industry skills shortage

Shai Gabay offers some practical steps each security leader can follow to attract and hire the right people to help ease the security industry skills shortage

pencil sharpened skills
Credit: Thinkstock

Are you struggling to hire qualified and experienced security people? Are we in the middle of a skills shortage?

You know I like to debate whether a shortage exists or not. I also accept that for some security leaders the answer is yes: we have a shortage. And yes, they are struggling to hire and retain qualified people.

That means we need solutions. Now.

Shai Gabay of Cyberbit

Shai Gabay of Cyberbit

Shai Gabay (LinkedIn), Chief Innovation Officer of Cyberbit, proposes a different path. Something more immediate. With an approach that creates lasting benefit for the entire organization.

Gabay has 15 years of experience in the security industry. Prior to his current position with Cyberbit, he led the security operations in one of Israel’s leading banks as its CIO for eight years. Gabay’s responsibilities included leading the information security team and building and managing the security operations center.

My conversation with Shai was dynamic. We agreed that debating the skills shortage wasn’t as useful as exploring ways to improve security and bring the right people on board. As Shai explained, “the skills shortage won’t solve itself.” While some folks are focusing on education to prepare a future workforce, Shai has insights for leaders struggling to find qualified people today.

Even better, this approach holds benefits for the organization overall.

You suggest it takes a two-pronged approach to get started. What are the two steps?

The skill shortage is big issue that is not going solve by itself, According to a Peninsula Press analysis, there are 209,000 U.S. cybersecurity open positions without candidates, and the number of open positions are up 74 percent over the past five years. The same analysis says that demand for cybersecurity professionals will grow 53 percent through 2018.

We need to find a new approach to address this challenge, the way I see it, we need to lower the barriers to entry to get more talent in the door.  

First, we need advanced technologies to orchestrate all SOC activities to one pane of glass with automation capabilities that make make our processes better, clarify our playbooks and provide all necessary data to support the decision making mechanism to ensure our staff handle incidents professionally and effectively.

Second, we can do this by identifying the aptitudes and capabilities for the people we want, and focusing on the skills we can’t teach. Then, we need to develop enhanced training programs that cover all necessary capabilities based on those aspects. The way we think about this talent is to harness our technologists based on what we truly need through widening the focus to the whole industry—the challenge is bigger than any one company.

Companies can’t afford for teams to be dealing with real threats for the first time on their watch on production environment, or bogged down by buggy systems or poor user experience design. By identifying the right aptitudes and matching these people to the new technologies and approaches, we could really shorten the training time for the entry point and they’ll grow into experienced cybersecurity professionals.

The real key is connecting people to the technology and process with real experience. We do that with a cyber range and simulations.

I think the main challenge today is how to prepare someone to deal with and mitigate threats that they have never seen before. There is a huge difference between learning a concept and experiencing the reality of a situation. As part of the training process, we need to be able to learn from mistakes—your own, others’—and the broader complexity that comes from working through real situations with other people. When we see trainees on a cyber range or simulation, they get the chance to really understand what’s expected of them while attack responses are in process. By training people with simulations and cyber ranges, trainees get the added benefit from evaluating performance. This evaluation makes it easier to select people for additional training, qualification and certifications.

How does working with the organization in a cyber range create a big advantage for the CISO?

A cyber range gives CISOs and other C-level leadership another perspective on the moving parts of an attack. This training method helps executives find out the company’s level of preparation based on how people actually perform during an incident. Additionally, it gives teams the flexibility to run various exercises to see where would be best to invest time and energy improving and practice team efforts. You start to understand the environment in relation to the team’s skills to help predict where problems may crop up, or where you need additional support. And it helps CISOs figure out where to focus, which can be a key challenge in an age of cyberattacks and breach fatigue.

In advanced scenarios, the exercise can also involve business owners and the decision making process.

At the end of the day, the CISO wants to understand the current professional level of his team in mitigating those scenarios, and to be able collaborate with relevant stakeholders to manage the breach.  

What is the difference between cyber simulation and cyber range?

The cyber simulation trains staff in real time scenarios in control environments that won’t affect the organization’s network and system. In this case, the simulation will take place in predefined networks that the team uses as a playground. During the training, the trainees exercise different methods and technologies to mitigate the threats. The scenarios could be in different levels of complexity in order to achieve progress and maturity.

The cyber range has all the capabilities of the cyber simulation with one important addition: the capability to bring your company’s network, tools, and resources to a training ground where you can bring the attack activity to the surface of the organization. You practice the simulation on the range, where the setup looks and acts like your network, but you’re free to test, try and make mistakes without repercussions.

In both cases, during the simulation, you must first understand people’s minds—if they’re single-faceted, multi-faceted, and otherwise—then, you embrace the attackers’ mindset to practice the attack scenario.

What is the first step for a security leader to get started?

I think the first step will be to define the relevant scenarios and necessary skills for your organization, and use these as the basis to develop routine training programs. The basic program should include cyber simulation and tabletop exercises. However, this is only a first step, not a “one and done” solution. Investing in ongoing training is most effective over the long-term. Additionally, you can easily find ways to get started with simulations without a ton of upfront investment. For example, you can go to a local competition or hire a company to conduct one for you. Some companies start out with tabletop exercises; make sure to connect these to your technical simulations, which will help you make the case to build the talent and capabilities internally. After that, you can move on to the next phase of the cyber range to practice scenarios with your networks, tools and technologies.  

At the end of the day, you should always keep connecting your technical efforts with the business.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.