Security industry needs strategic thinking and a new hiring strategy

It’s no secret. There are not enough skilled applicants coming down the pipeline to fill the security jobs that are out there. While I’ve heard it in almost every conversation I’ve had with security professionals for the past several months, I just don’t understand how this can possibly be true. 

Survey says, “It’s true!” According to Mike Gerdes, director of information security at Experis, it’s a frightening truth that has a lot of folks scrambling to figure out what to do. “In the next three years, the demand for security talent is expected to grow by 2.5 million, but the supply only by 1 million, leaving a jobs gap of 1.5 million,” Gerdes said.

[ MORE ON CSO: Creating a strategy to offset the cyber talent shortage ]

“We have been doing talent surveys for 10 years. The gap is growing in technical challenge shortages and IT security, and the shortages are getting very acute,” Gerdes said.  

The rapid pace of innovation has done wonders for IoT, but IoT has produced a preponderance of more intelligent mobile devices that are all creating information. “The problem,” said Gerdes, “is that information has to be processed, which has created a bubble of information that organizations aren’t equipped to deal with. Basic operations people may have been good at what they were doing, but they don’t know how to process the data coming in.”

But there are so many automation tools out there that it seems to me that there would be fewer jobs available for actual human beings, which isn’t the case.

“Yes, there are lots of tools out there, but the problem is that out of the box they are not tuned to react to the environment they are in and allow legitimate traffic. You still need an expert to set up the tuning,” Gerdes explained.

Even a data leakage prevention filter could create problems because you may find some normal business transactions are now blocked because, by default, they are part of the black list. Gerdes cited situations like this and others similar to it as evidence that the future of security relies on man and machine working in harmony.

“No, sometimes you don’t need to have that person on your staff. You could hire a third party as a service or a contractor and just buy the appliance and use the person,” but Gerdes said even that approach eats up resources.

But if it’s the skill sets that are lacking, then wouldn’t it also be true that criminals are not adept at these skills either? Won’t there also be a bad guys gap?

Gerdes said, “At this point, in many cases, people that are working on the Dark Web side of the equation tend to be better than the enterprises about sharing information to help one another. The bad guys are more adept at sharing information that finds that crack–not the final attack tools–but the concept and research.”

The potential shortage of bad guy talent, then, is made up by their ability to collaborate in the dark web. “Classically we have had a problem sharing information because of the issue of digital trust. They are afraid the information won’t be protected,” said Gerdes.

A number of opportunities are out there for security defenders, but too often companies are pushing with a standard hiring profile. Most want someone with a four-year degree and a minimum of five years experience. “Once they get an interview, then they ask about platforms and skills,” said Gerdes.

Realistically, for people who decide today that they want to start down that path, it’s nine years from now before they are able to apply for one of those jobs. Gerdes said, “The other opportunity is to look into trade schools or technical colleges or company offered training. They can enter into the space in an entry-level position within a year or two, but there are companies who will take those folks and train them internally.”

While job applicants need to hone their skills, network, and get themselves noticed, enterprises also need to change their expectations. “There are no bachelor’s degrees in firewall management. Some candidates have five, seven, 10 years of experience that won’t be considered because of the basic rules,” said Gerdes.

“There are companies out there where you can earn your degree over time as an employee benefit,” Gerdes said, so a quicker entry way might be for applicants to change the companies that they are targeting.