Confronting the widening infosec skills gap

Estimates of the shortage of qualified information security professionals needed to fill available jobs in the next several years range into the multiple millions. A number of organizations are trying to change that. But they say it will likely be years before the gap is closed

1 2 Page 2
Page 2 of 2

Williams said he thinks part of the problem is that in spite of the demand and good pay, awareness of it hasn’t trickled into the nation’s educational system. There isn’t much focus, he said, on technical careers.

“We’ve lost the 1960s focus on being a rocket scientist,” he said.” You hear college students talking about being doctors and lawyers, but nobody says forensic analyst. It’s not talked about in the mainstream.”

Added to that, he said, is that at the middle school level, “most teachers have general degrees, so they tend to shy away from technology. They’re afraid that if a kid asks a question, they won’t have the answer for it.”

But, with growing awareness of the gap, there are now multiple efforts to address it.

Shearer said (ISC)² is working with both public and private educational institutions to, “embed cyber into their courses, particularly within IT, now that we are seeing so much more security activity managed at this level.”

One of those initiatives is the Global Academic Program (GAP), which promotes industry-academic cooperation to bridge the workforce gap.

“Last year, we developed a report from the (ISC)² Foundation and the University of Phoenix to highlight the challenges posed by the shortage of cybersecurity professionals,” he said.

Williams points to efforts like the National Initiative of Cybersecurity Education (NICE), launched in 2010, “to get the whole nation aware of the threats that exist and create a workforce to engage the threat.”

He said one of the goals is professional development for teachers so they can “infuse cyber education into their existing curriculum, from literature to math and social sciences.”

But he and others agree that it will take more than high-school and college courses to deliver the level of skills needed.

Aaron Cohen, COO of the Blackfin Security Group, said one of his firm’s initiatives, called ThreatForge, provides threat simulation training that seeks to come as close to real-world attacks as possible.

aaron cohen

Aaron Cohen, COO, Blackfin Security Group

“There are extremely talented people within organizations,” he said, “but it’s hard to take some one in a systems administration role and make them a security expert.”

Education is useful for learning the basics, he said, “but there is no replacement for on-the-job training. You can’t just throw somebody into the fire.”

And he said security threats change so quickly and significantly that it is hard for traditional educational institutions to keep up.

“Handing somebody a book or labs from several years ago isn’t really going to work,” he said.

That is also the message from Williams. “Cybersecurity skills are perishable,” he said. “It requires hands-on, constant training. We need skills-based training and performance-based evaluation. Instead of studying a book and taking multiple choice test.”

He said the speed at which threats change is dizzying. “In medicine, things might change every year,” he said. “In cybersecurity, they can change every 10 seconds.

He said some of that need is influencing education. "Students in middle and high school can enter competitions like CyberPatriot, which can lead to scholarships and a chance to compete in college in the National Collegiate Cyber Security Defense Competition, similar to a scholar-athelete playing football” he said, adding that students in such programs are qualified for entry-level positions with the National Security Agency or Department of Homeland Security on the day they graduate.

The other reality, however, is that security is a life-long pursuit. Dominguez said it is important for organizations to realize that it is, “not a project with a discrete start and finish. It is a process that continues to evolve, as do the attack methods and threats.”

So, amid the ongoing efforts to close the skills gap, there are likely to be ongoing challenges.

Dominguez said finding qualified security experts, “is even more of a chore now because the good ones are employed.

“I am generalizing here – this is not true of all those seeking employment in today’s market – but those in the market are primarily those that do not have the deep technical skills,” he said. “To grab top talent, you have to outbid the competition and offer more incentives.”

Shearer also said the shortage will continue to create difficulties. “We will see a heavier reliance on technology – automated processes – for security,” he said. “Breaches will certainly continue, with more sophisticated attacks and less personnel to mitigate the damage.”


Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline