The chief reasons it remains challenging to recruit security professionals is the multidisciplinary nature of security in general and the lack of cloud skills specifically in the marketplace. Here’s our expert’s view on why the gap persists and how to identify and nurture the next generation of security talent.
Despite what the movies suggest, it’s rare that two coding geniuses engage in hand-to-hand cyber combat against each other from the comfort of their workstations. (Although it does happen, on occasion.)
Cybersecurity in the age of cloud is actually elegantly simple – at least in concept. In reality, cybersecurity is a management function that protects an enterprise’s data confidentiality, integrity and availability (CIA) by developing, communicating and refining policies that govern the way technology is used and accessed.
When working well, these policies prevent cyber risks from escalating to anything like the Hollywood-style scenario. And they do it by ensuring that corners aren’t cut as the organization pursues, for example, shorter product release cycles or more efficient remote working.
Understanding this is key to appreciating the nature of the much talked about cybersecurity skills gap, which remains a concern for IT leaders.
This talent shortage is not a new challenge. But when 43% of organizations still report that competition for security talent makes it difficult to hire and retain staff, it’s time we approached the cybersecurity skills gap from a different angle.
43% of organizations still report that competition for security talent makes it difficult to hire and retain staff
Why the cybersecurity skills gap exists – and persists
The cybersecurity skills gap exists and persists because the skills enterprises seek are multifaceted, in high demand, and range beyond technical. From physical security to the creation and implementation of policy — and the challenges that accompany managing people — securing data goes way beyond technical skill.
As technology changes, people have remained the same. The primary tool we use to manage people is policy. Significant security breaches are consistently caused more often by human error (not following appropriate system hardening guidelines) or malice (intentionally using ones existing elevated access as an employee to disrupt CIA) and not because of a one-off technical flaw. One such example a few years back, and one of the largest breaches in recent history, was the Experian hack that exposed over 143 million American’s PII due to servers going unpatched for three or four months. Yes, this is a technical flaw, but the Apache Foundation had already released a fix that could have been easily implemented, and the hack could have been avoided, had company IT policy required shorter patching intervals.
With new technologies coming online frequently, there’s a constant need for retraining and maintenance of a team’s technical capabilities. To keep up with the rapid pace of change, engineers are typically highly specialized in their areas of expertise, focusing on one or two technical disciplines like specific OS knowledge, networking or programming. In most enterprises, these specialized skill sets have been traditionally grouped into teams based on type of skill. This, in turn, is mirrored in the business, with departments of specialized skill and most IT staff being singularly skilled.
Cloud has turned this system of managing IT staff and resources on its head. With the introduction of cloud, the IT industry has finally started to actualize the vision of an agile application and IT infrastructure. Making a data center into a “cloud” involves adding abstraction layers called APIs to allow for consistent and reliable automation. Think of this as adding robots to Henry Ford’s automobile assembly line.
And with that robot-like automation, IT staff have had to learn a whole swath of new skills to manage those cloud APIs. New ways of doing old things is no problem for most IT pros, but cloud has also forced new alignment of company staff that breaks up traditionally separate teams into smaller multidiscipline groups (two pizza teams) that create and manage the aforementioned APIs (required for cloud automation). Multidiscipline teams, in turn, cause a shift from specialization to more generalized skills.
The switch from waterfall style project management to agile has been very disruptive. Whether you call it cloud, DevOps or digital transformation, the drastic changes to the way we manage IT resources is forcing existing IT staff to learn entirely new ways of managing their systems. This is driving demand for those new skills.
Cybersecurity professionals now need to maintain a broad set of cloud skills as well, because enterprise data is more dispersed than ever before. Thanks to multicloud, third-party analytics applications and different departments firing up new product releases and tools, the trusted compute boundary (TCB) of most organizations now has a footprint that spans way beyond traditional on-premises IT datacenters. A single application can easily include multiple datacenters managed by multiple vendors in disparate geographic locations under varying government regulatory requirements.
Starting with the fact that it’s hard to find and recruit multi-disciplinary IT staff in the first place, finding someone with the additional focus of security is that much harder.
it’s hard to find and recruit multi-disciplinary IT staff in the first place, finding someone with the additional focus of security is that much harder.
To be considered a promising cybersecurity pro by today’s standards, you first need to be a generalist with an understanding of both physical and technical security. You also need at least one or two specific domains of deep IT experience, but typically more, which is difficult when you consider how quickly technology moves. Also, you have to be a good manager with empathy for the way an organization and its people use technology to meet their goals.
The cause of the cybersecurity skills gap lies within this tangle of requirements: to become that person, you need many years of applied experience — way beyond any formal education (just as you do to become a cloud professional). That’s a heck of a long journey, and the result is that the lack of skills is most acutely felt in the weak pipeline between entry level and senior security talent.
Closing the capability – and personality – gap
On most budgets, it’s not realistic to hire the perfect security professional. And holding out for one to come along makes the skills gap feel larger than it really is for many organizations.
Instead, to strengthen that pipeline from entry-level to senior management, organizations must get better at spotting and nurturing the right talent.
The ideal profile is a strong base of technical fundamentals backed by a realistic expectation of practical experience – three years versus 10, for example – in an area such as networking, operating systems or software development. Without diverting them from their technical development path, these candidates are well positioned to have layered on to them the policy and management aspects of a role in cybersecurity.
To nurture this talent over the long-term, organizations must prioritize hands-on experience supported by training and mentorship. Opportunities for people to gain this experience are regularly missed when security is thought of late — or last — in the process of creating new applications and services. Instead, baking in the inclusion of a security specialist with all or most development pods multiplies the opportunities for talent to gain experience, versus being called in to validate someone’s work after the fact.
When formal training is needed, the preference should always be for bootcamp-style sessions built around applied technology. These accelerate the process of learning through trying and failing, but in a low-risk environment.
Leverage culture to empower the “human firewall”
Finally, an organization’s culture should contribute to setting up its developing security pros for success. Most hacks and data breaches are a result of social engineering attacks targeting the wider workforce. A well-informed and engaged “human firewall” is among an organization’s strongest cyber defenses. Removing any barriers that exist between your specialists and the rest of the organization empowers everyone to feel a sense of ownership for security. We’ve seen successful cyber security pros become so approachable that employees feel welcome to send them almost daily updates on the spam they receive. Nine times out of ten, these updates are garbage. But that sense of being together on the frontlines of defending the enterprise is culturally invaluable.
Grow your own unicorn – and start now
Securing the enterprise is increasingly complex. As businesses shift to modern architectures, cloud-based applications and remote-workforces, the opportunities grow for bad actors to intercept any sensitive information that’s transmitted outside of a company’s network.
As we’ve seen, for enterprises looking to combat this, the cybersecurity skills gap is a genuine challenge — but not always in the way you might think, and not only in terms of hands-on-keyboards capabilities.
Those experiencing challenges with cybersecurity recruitment and retention likely sit in one of two scenarios today. They either have managers that primarily understand security policy, but have a weaker grasp on underlying tech. Or they’ll have masters of technology who are lacking in people skills and struggle with setting effective policies.
Organizations that don’t have this problem are the lucky ones that have already found – and can afford to keep – their unicorn with both technical expertise and the soft skills of an effective manager and communicator.
Most companies, however, are going to have to grow their own unicorn by identifying someone with the raw materials — technical discipline combined with a desire to solve human challenges — and committing the time and resources to nurturing them.