On a global scale, cybersecurity is suffering from a severe shortage of experts. What is to be done? Organizations, government, academia and professional associations need to work together to develop a sustainable cyber skills strategy. To date, strategic thinking has largely focused on what to defend and how to defend, but less on who is going to do it. Now is the time for closing this gap – and fast.
The skills pyramid
As with other professional and technical disciplines, cybersecurity covers many skills and levels of education. It helps to organize these into a pyramid that groups the skills needed at each level. The bottom end of the pyramid includes a basic skill set that everyone should have, including typical security “hygiene” in private and organizational contexts. For example, recognizing basic or advanced phishing attacks is easy after even a short educational session. Likewise, blunt social engineering is simple to spot once aware of the tell-tale signs.
The intermediate or specialist level is the skill set typically needed in IT, encompassing technology and cyber operations, including deep technical skills. At this level, technology skills are as important as operational skills, such as monitoring or forensics work.
Typically, the term “intermediate” refers to the organizational hierarchy, denoting an operational role rather than management. The skills gap appears to be most pronounced at this level. Many practitioners working as specialists are still self-taught, particularly in terms of technical proficiency.
At the managerial level, the skills required are designed to close the gap between operations or technology – with its own language and culture – and general business. Despite the fact that many specialists are experts in their areas, there is often a gap between their world and the managerial and financial questions arising at the C level.
There is an obvious need for cybersecurity governance as well as management. Practical experience shows that cybersecurity managers remain few and far between. Today, many CISOs or CIOs have acquired their experience and skills through traditional IT or information security, but without specific exposure to cybersecurity.
The “leading” level is often represented by university researchers and experts who develop solutions from theory and academic concepts. Even so, the education path is fairly narrow, with a limited number of offerings for students and postgraduates.
What is there
Fortunately, there is a sizable market for educational offerings at all levels. The pyramid concept is useful in establishing education paths rather than having to rely on one-off training sessions.
Of course, there is a lively debate over what constitutes the right “blend” of skills. Historically, the cyber expert was considered the proverbial “nerd” or “geek” buried under heaps of hardware, socially marginalized and unable to communicate. Fortunately, this perception has changed. Today’s cybersecurity specialists must match the skills of their adversaries, including through social interaction and communications. Conversely, traditional managers used to maintain a marked aversion toward IT. Again, the cyber-savvy manager of today almost inevitably knows a lot about technology and is proficient in handling all sorts of devices.
The market for cybersecurity education is growing fast. With limited budgets time, both HR departments and information security organizations are required to identify and combine individual components and offerings to ensure that content meets requirements.
What is missing
Often, organizations resort to education paths that are uniform, or at least fairly homogeneous, when approaching the training and skills profiles of their associates. However, there is no one size that fits all. The next generation of cybersecurity practitioners may be extremely intelligent and fast thinking, but are likely to have blind spots. For instance, someone who has grown up with the Internet of Things may not have the same level of knowledge when it comes to command-line Linux. Conversely, an old hand at mainframes may be lost when having to deal with an iPhone. This uneven set of existing skills needs a variable path to acquiring cybersecurity skills.
Filling the pipeline of new cybersecurity professionals should start with a thorough self-assessment, not an appraisal. Where people feel an assessment will lead to a positive result, like being able to acquire skills, they will be honest with themselves and their organization. In sharp contrast, traditional appraisals geared toward evaluating and marking down people for gaps will inevitably fail. As an example, tools like the CSX Cybersecurity Career Roadmap can help quickly identify broader areas in which action is needed.
Organizations who economize on training and education should be aware that organized crime is investing vast amounts of money to stay ahead of the game. In practice, skills acquisition for employees and associates is often surprisingly cheap. Much of what needs to be done is self-study, and the cost of obtaining professional certifications or membership in useful professional associations is in the range of a few hundred dollars.
A majority of organizations still seem to believe that cybersecurity people are easier to find by headhunting or hiring freelance consultants at low daily rates. None of these “strategies” are sustainable, simply because they will not get you enough people over a reasonable period of time.
ISACA’s 2019 State of Cybersecurity research report found that over half of respondents cited promotion and development opportunities as the second biggest reason cybersecurity professionals left their organization, followed by nearly half of respondents who noted that individuals left for a better work culture or environment.
The old argument about educating people only to see them leave afterwards is not a sound one: most cybersecurity experts or managers tend to stay in an environment where security is strong rather than living under constant (ah, night and weekend) pressure from frequent incidents and attacks.
To fill the pipeline, organizations must draw upon their own strengths and maintain their own cyber skills program, rather than search for people in an already overheated market. What used to be the strategy of choice – harvesting from a limited pool of professionals who grew up in the 1990s and 2000s – is no longer an option, as both age and the overall number of skilled experts worldwide are limiting factors. The next generation of cyber experts will require a more thorough approach that starts with building basic skills and supporting individuals graduating in a cyber-related field.