An employee with a security background is a hot commodity these days. And one who is a jack of all trades is even hotter in a market where there is a shortage in cybersecurity-skilled employees.\n\nIt has gotten to the point that besides trying to secure the product, companies are asking their security pros to explain and sell the product to prospective clients.\n\n\u201cI guess you could say we\u2019ve come full circle when the analysts who were in need of the product are now helping to sell the product,\u201d said Chris Camacho, chief strategy officer at Flashpoint. He said while the shortage of cybersecurity staff continues, many enterprises are now looking for less volume and for more specialization. \n\nHe added on the flip side of all this are the companies working to develop security products. \u201cThey know that the threat is evolving, security departments are often under-staffed, and understanding their product is the key to a sale. So they\u2019ve begun to hire the traditional threat intelligence analyst and to put them to work as a sales engineer or solutions architect,\u201d Camacho said.\n\nTheir role is to help prospects understand their security product and how best to use the product to have an impact on their company, he said.\n\nIn addition, multiple product companies are taking this approach as well. Instead of hiring traditional analysts, they are demanding specialization of analysts on specific threat actors, regions, and languages, as this service offering is resonating with the enterprises that they sell too, he said.\n\n\u201cWith so many different product companies out there, they are looking for ways to stand out in the crowd, and the leaders in this space are adopting this strategy as a way to reach new customers and retain existing ones,\u201d Camacho said. \u201cEnterprises that have an existing generalists will use these vendors as an add on to augment what they have currently if they decide to not make the move towards specialization themselves.\u201d \n\nJames Stanger, senior director of products at CompTIA, said good companies \u2013 especially security software companies \u2013 use technical sales folks all of the time. \u201cIt\u2019s a time-honored practice. Adding a threat intelligence analyst to the sales process can make a lot of sense,\u201d he said.\n\nOne reason is that threat hunting has become so important, he added. Also, the job role of security analyst has grown tremendously over the past two years, and it will continue to grow.\n\nTraditionally, security workers are focused on either vulnerability management or penetration testing. But those roles have morphed into the security analyst job role, he said.\n\nThat has occurred because traditional vulnerability management alone doesn\u2019t really find where the attacks are going to occur. \u201cThere are too many vulnerabilities to address, so it\u2019s difficult to apply resources logically to resolve them. Penetration testing doesn\u2019t help as much as we thought, unless it\u2019s in the service of proper security analytics,\u201d Stanger said.\n\n\u201cLately, folks are feeling that an analyst can help find the most likely risks more efficiently. Once you\u2019ve found those risks, it\u2019s easier to apply resources (e.g., time, effort, energy, software) to address those risks,\u201d he said.\n\n\u201cIt does make sense that an analyst is now being brought into the software sales dance. Whether or not that\u2019s really going to resolve our security issues is another question,\u201d Stanger said. \u201cOne could argue that more software sales won\u2019t help resolve our security issues until business get their business issues in order first.\u201d\n\nSeth Robinson, senior director, technology analysis, CompTIA, and the author of the study "The Evolution of Security Skills", said in general, companies are finding a need to create security specializations since the topic is so broad and complex.\n\n\u201cIn the past, security tasks were typically done by an infrastructure team, but today\u2019s triple focus on technology, process, and education drives demand for specialized security skills. The downside to this approach is budget\u2014a number of specialists cost more than a single generalist,\u201d Robinson said. \u201cBut businesses will have to assess the appropriate security budgets in an era where security breaches can take down entire companies.\u201d\n\nOther companies haven\u2019t caught up to the times\n\nTrying to shoehorn an employee into a sales role can be difficult, especially when the market is not churning out enough qualified candidates.\n\nCompTIA said in its report that new training is needed to close skill gaps. Some companies are in a position to hire or partner in order to meet security needs, but the most common approach is to improve the existing workforce. For technical workers, 60 percent of companies use training to build security expertise, and 48 percent pursue certifications. Many companies are also extending training to the general workforce. Ongoing programs that measure knowledge can improve security literacy for employees that are increasingly using and procuring technology.\n\nMost companies are left with skill gaps, areas where the in-house workforce or partner network lacks expertise. CompTIA said only 33 percent of companies feel that they have a very high level of security understanding within the organization. While this is primarily driven by the security knowledge of the overall workforce, skill gaps among those responsible for security also factors in.\n\nThe top two skills in need of improvement, according to CompTIA, are general infrastructure security and knowledge of various threats. Infrastructure security has expanded from basic firewalls and data encryption into application-aware firewalls, intrusion detection\/prevention, and network monitoring. Similarly, the variety of attacks continues to grow, with Kaspersky Lab reporting that it discovers 323,000 new malware samples each day and other attacks such as denial of service and SQL injection adding to the complexity.\n\nAccording to CompTIA\u2019s report, on the technical side, cloud computing drives a need for security directly attached to applications and data. As these components move from on-premises systems into cloud providers, safeguards are needed on top of the security provided at the layer of the cloud offering.\n\nAcross the board, small businesses trail their larger counterparts in reporting a need for skill improvement. Small companies will need to realize that new skills are needed as new attacks may target the lowest defenses rather than the most profitable victims, CompTIA wrote.\n\n\u201cOrganizations must shift to proactive measures, including external audits, penetration testing, and security training. Strong defenses will always play a role, but they must be coupled with ongoing offensive activity,\u201d CompTIA wrote in its report.\n\nIn its survey, although 14 percent of companies do not have dedicated security roles, many firms are searching for security specialists. The top role in demand is cybersecurity analyst, an employee who proactively monitors networks and uses analytics to assess threats and provide remediation.\n\nCompTIA reports that many companies remain on the defensive, fighting cyber threats with dated tactics and training. \u201cBuilding an impenetrable defense is no longer practical and the mentality of preventing all breaches is outdated,\u201d Robinson said. \u201cBut a new, proactive approach combining technologies, procedures and education can help find problem areas before attackers discover them.\u201d\n\nOne of the challenges for organizations is that they tend to place the greatest emphasis on the cyber threats they understand the best. Malware and viruses, two of the oldest forms of cyberattacks, typically get the most attention.\n\n\u201cWhile we certainly need to remain vigilant about these threats, many other forms of attack have emerged that can carry disastrous consequences,\u201d Robinson said.\n\nCompanies are gradually shifting their focus from defense to offense. In CompTIA\u2019s survey of business and technology executives at 350 U.S. companies, 29 percent of firms said they are highly proactive in their security posture, emphasizing detection and response. Another 34 percent said they balance a strong cyber defense with some proactive measures.