Is there Talent Shortage in Cybersecurity?
According to a Cybersecurity Ventures report, there are one million job openings in cyber security and that number could grow to six million globally by 2019. Cyber security expert Jack Daniel shares his ideas on how the industry can fill the increase in talent shortage.
There’s been much talk about the talent shortage in cyber security but the industry is still looking for solutions. Simply pushing more people into the industry isn’t necessarily effective, as there’s a need for better training and technology to meet the need.
Jack Daniel, co-founder of Security BSides and a member of the Tenable Network Security team, is a long-time industry insider and host of the Security Weekly podcast. Jack shares his insights on the talent shortage in cyber security and the best ways to address it.
Why is there a shortage of qualified cyber security professionals?
It’s not so much that there’s a shortage of talent as we’re trying to solve things badly. A century-plus ago, all of our cities were facing a nightmare because they couldn’t deal with a number of horse-drawn wagons in the cities.
The manure was a terrifying health hazard, there weren’t enough groomsmen, there weren’t enough farriers and there weren’t enough wagon-wheel builders. Throwing more people at it didn’t solve the problem – changing the technology did.
We do need systems that can reduce the amount of work that analysts and security people have to do so they don’t have to do mundane things. There are all sorts of contributing factors to this.
One thing that I think is worth mentioning is a lot of companies simply say they can’t hire enough people, either can’t afford to or won’t spend the money to hire people. A lot of times I see people saying “we’ve got 100 open positions in a company of 500” and you look and they’re trying to pay half the market value. That skews the numbers too.
What are the best ways to address the shortage?
There’s a lot of hype around machine learning and artificial intelligence because people are working on interesting things that look for bad behavior. So what’s bad behavior? It’s people or systems trying to do things they shouldn’t, such as allowing access to restricted data, or performing actions which expose systems to exploitation. A lot of the time it takes somebody who knows the environment very well to spot this bad behavior. It turns out, if you build systems with enough power, they can start to detect anomalies and it’s easy to boil down.
Technology is not going to solve the technology problem. Security, in part, is mostly a people problem. People create the technology. People are using technology to do their job. It’s only those of us in the tech industry who really live and breathe tech. People use technology to manage their organizations. It’s a tool, and oftentimes security is needed because the tool lets you do something you shouldn’t.
So there’s a real challenge around figuring out how to create systems that make it hard to make mistakes and make it easy to spot things that have gone astray. We’ll always need people to do that.
Globally, many places have challenges getting the technical education into schools early enough to get people’s interest. Science, technology, engineering and mathematics (STEM) is so important, but don’t exclude the arts, because you have to think creatively.
Getting a better technical education that prepares people for a highly technical world, whether or not they come into our industry, is an early step, but that’s a long game to get those people in. There needs to be a stronger focus on advanced degrees and meaningful certifications, which can teach valuable skills sets and technical expertise.
I think we can do a better job of onboarding people. One of the things I see as a lost opportunity is that as a lot of things are automated, technology is moved to cloud services and we’re moving to activities that don’t require an IT admin on the ground. We’re pushing a lot of old-school IT admins out of the workforce. I think it might be worth trying to invest in some of them to see how we can adopt a security mindset. Unfortunately, it’s not going to work for everyone.
How much is burnout an issue for cyber security professionals and how can it be addressed?
What I’ve seen lately is the stunning amount of breaches we’ve had. The folks that do forensics and incident response are often overworked because there simply aren’t enough of them. This kind of feeds your problem.
Take for example forensics and incident response professionals. If you push the team too hard, some of the folks aren’t going to be able to handle it and that ramps up the pressure on everybody else when you lose one team member. It has a cascading effect.
If you drop a few people off a 12-person team, then the load becomes unbearable. The quality of work goes down, people’s careers have to be put on hold or they leave the industry. We need a better solution.
For those looking to get the skills and training needed, explore our Education section to see how you can get started.