It seems like every other day there is yet another article highlighting the impending apocalypse of the cybersecurity skills gap. The articles often moan that it is the fault of the employer for wanting qualified personal (who knew) and then try to solve the problem essentially with the advice:
Why not hire someone
who wants to “have a go”…
Cybersecurity is an attractive proposition because there is a strong demand for skilled professionals and that is often reflected in higher salaries, even for junior entrants into the profession. But hiring people, even at the junior end, who don’t have the skills you need is not necessarily a bad thing but in order to apply that model, you need a certain amount of support. So here’s our take on how to deal with the cybersecurity skills gap challenge!
Lies, Damn Lies and Statistics – Is there really a problem?
If we look a little into the skills gap debate, we see it is fueled in some part anecdotally and in some part by directed research. Industry statistics (which one should always take with a MASSIVE pinch of the old NaCl) suggest that:
“the [global] cybersecurity workforce gap is on pace to hit 1.8 million by 2022”
Let’s break the above figure down. The number of companies in the world, extrapolated from available data is around 115-300million with an average size of 20-60 people – variance is high because the estimates are very crude! When you look at the skills gap in this light, said gap is pretty tiny. Now you can get stats to tell you anything you want and there is clearly no uniform distribution of cybersecurity roles across the world. Most of the roles are in developed countries. Taking this into consideration and you start to see more of an issue. When you look at where the gap is, you start to see more of an issue. The gap is most certainly at the junior end of the pyramid. Why is this?
My take is organisations have outsourced a lot of their in-house IT expertise to third-party managed service providers. This approach was driven in part by cost-saving but was significantly accelerated by the Global Financial Crisis and increased risk appetite when it came to exploring the cloud. As regulators around the world lowered their objections, a “data rush” has been occurring. What this has meant is there aren’t as many opportunities within organisations to learn the basics.
Not all cybersecurity roles are direct entry
Why do aspiring cybersecurity professionals need to learn the basics? Basically, if you do not know how the thing you’re trying to secure works, how on earth can you secure it? If you don’t know how the business is using the IT in your environment how can you ensure that security is appropriately balanced against usability? If you don’t understand what the business you are working for actually does to make money, how can you possibly begin to understand the risks and threat vectors it may be exposed? The answer to all these questions is simply that you can’t. This is where the cybersecurity skills gap sits. It used to be that cybersecurity professionals would move into the field from another role. A Business Information Risk Officer programme would typically start off in an organisation as a side-of-desk exercise for someone in the department who either showed an interest (or was volunteered) in security. Now the importance of these roles has been proven, they are typically full-time roles in most large organisations. This often means the role-holder has no longer gained working experience of the business unit they support. The same goes for people operating in SOCs, Assurance or Audit roles. Most people don’t start in cybersecurity and this is confirmed in the stats.
“The vast majority, 87% globally, did not start in cybersecurity, but rather in another career. While many moved to cybersecurity from a related field such as IT, many professionals worldwide arrived from a non-IT background. Previous non-technical careers are diverse, including business, marketing, finance, accounting, or militaryand defence.”
What we now seeing is that those who would typically come from an IT engineering background (i.e. they know how to actually configure a firewall or GPO in AD or can code) aren’t coming through from within organisations because organisations are no longer employing the junior technical IT roles in the same numbers as they did in the past. Without such a feeder talent, it is pretty obvious that a cybersecurity skills gap will then emerge.
Cybersecurity Skills Gap – Managing salary expectations
The next challenge we face is salary expectations. Like any resource, cybersecurity should be rewarded based on the scarcity of resource and the need for the skills within most organisations. The supply and demand ebb and flow should, theoretically, stabilise as more people enter into the profession and salaries should then settle down. The challenge appears to be two-fold. Firstly, as the salaries have increased (because of scarcity) so too have the expectations of organisations. If an organisation has to pay so much for a particular role they must balance that salary against the cost of doing nothing – that’s just risk management. Sure in a lot of cases they are just putting the information security risk exposure on the corporate credit card but it is understandable. Secondly, there is often no defined return on investment for hiring cybersecurity professionals. In most cases, they are not making money, but simply one of the costs of doing business. Savvy business people want to keep their costs as low as possible so the higher the salaries go, the more likely a business may hold off making such an investment.
Cybersecurity isn’t sorcery
I took the heading title from this article “Calling BS on the security skills shortage“. In the article, it suggests that the cybersecurity skills gap could be easily fixed because:
“Security-specific skills can be taught”
This is absolutely true. This isn’t ground-breaking. It isn’t a revelation in thought. It’s stating the bleeding obvious. The trouble is the author then goes on to suggest that organisations need to “get creative”.
And this is the problem that is fundamentally behind the cybersecurity skills gap:
“Who provides the teaching and who funds the teaching?”
When an organisation identifies a cybersecurity skills gap, the main reason is that they don’t have those skills in-house. I’m sure the author, based on their career, will have had a large pool of talented IT professionals to draw from because they have worked at various technology vendors throughout their career. It’s pretty easy to retrain a developer into a Web Application Security Tester or a Networks Engineer into a SOC Analyst. It’s not so easy to turn someone in the call centre into either of the above security roles with a few “lunch and learn” sessions and a one week ISO 27001 Lead Auditor Course. In any case, who is providing this training? Whilst this training is occurring, who is securing the organisation?
For organisations that don’t currently have a cybersecurity capability then it is clear such an approach is dead in the water. You can have all the potential in the world but if there is no-one to teach you the correct way of doing things then it is the organisation that will be the casualty.
Cybersecurity Skills Gap – Is there a better way?
There are many ways to approach a situation and internal training is certainly key to reducing the cybersecurity skills gap. Saying there isn’t a skills gap or suggesting that organisations develop talent from within will only solve the problem if there is someone to teach, coach and mentor. This solution only works if there someone to supervise until the training wheels can be taken off. This solution only works if there is someone to fix whatever the person learning inevitably breaks – and they will!
For those organisations that are facing this challenge, there is a better way. Consider finding an external resource to help build and mentor your internal team. Someone who can train them over a period of years, gradually upskilling your workforce. Invest in your employee training. Look for courses that offer a heavy practical element. Don’t just go for certs that are purely exam based with little to no hands-on training. Practical education – the more you can get of this, the better!
Finally, there can be all the practical education in the world – and there is quite a lot – but organisations need to support their junior employees. There is a lot of funding (certainly in the UK) for training if you know where to look. Even where there isn’t external funding, organisations should be investing in their cybersecurity professionals. It’s a simple fact that employee turnover costs businesses a lot of money. Investment in development increases retention. So, what are you waiting for, put your hands in your pockets and get your junior staff a coach and some practical training!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 28 awareness bcms BIA business continuity calculating risk change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership monitoring operational resilience Outsourced DPO Privacy processor risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso