In a recent article I wrote for ITSP Magazine, I discussed one of the prominent challenges that enterprises are facing today: the IT Security talent shortage. CISOs want to fill their security team bench with specialized engineers. The problem is, they aren’t readily available. In this post, I will share some of the highlights from the article and talk more about how to optimize skill development so we can grow the talent base for IT Security pros.
When you look at the skills required, it is diverse. Not only do we need greater equality in IT Security but acquiring the right skills requires candidates to become part scientist, psychologist, psychic and businessman. Some skills can be acquired in a classroom and some while on the job, but individuals also need to be forward thinking understanding how to think ahead of the current threat landscape.
Former Truck Driver Turns Security Analyst
According to a recent report from Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA), Through the Eyes of Cybersecurity Professionals, the biggest skill gaps are in the areas of security analysis and investigation, application security, cloud security and security engineering and penetration testing.
Technical training institutes and trade schools are a great place to get started. I know someone who was a truck driver for 18 years and became a very successful cybersecurity analyst by going to night classes at a trade school and then rising through the ranks gaining hands-on experience. He now works at one of the leading non-profit hospitals in the US.
Understanding the Psychology of an Attacker
Security professionals ultimately need to know the psychology of attackers. How to think like an attacker, understand their mentality, what techniques have they learned (like big data), know their incentives (fame, fortune, notoriety, etc) and goals is crucial for beating them at their own game.
We teach students how to build things versus how to break them. In IT Security, its time to flip that around and think differently in order to recognize weaknesses.
Work on Future Skills
Academic institutions need to be teaching the techniques that we need in 5-10 years, not just what we need today. The challenge, of course, is it requires us to look for skills we don’t even know we need yet.
When we look at technology trends, I see two pressing skills that we will need:
1) Big Data Intelligence
Cloud and IoT have caused internal enterprise network perimeters to become more porous. In a recent Dimensional Research report, we are also finding that IT security professionals are now equally as concerned about internal threats (breaches, malicious insiders, careless users) than external threats. As a result, security will be driven by more dynamic policies, which are often derived from the behavior of users and machines. Machine learning will help to build user profiles, and security policies will be based on behavioral identity rather than static identity.
2) Contextual Business Knowledge
The IT Security skills shortage has forced many enterprises to outsource security monitoring to third parties that don’t understand their specific businesses or processes. Quite often, they generate tickets that need to be reviewed by internal teams that are already spread too thin. The need implementing automated response for first level triage will become a priority and it will need to integrate security knowledge, business processes and business-specific constraints.
Closing the industry skills gap will require a multi-pronged approach that develops both hard and soft skills in the workforce, all the while keeping in mind what we will need in the future.