By Ericka Chickowski
As we discussed in our previous blog, the security skills shortage may not be quite as real as some industry reports claim it to be. But that doesn't mean it's easy to recruit and retain talented professionals into the industry. It just means many organizations are blaming market dynamics for their own shortcomings.
In my discussions with security professionals about the so-called security shortage, it became apparent that this gap has less to do with a shortfall in supply and more to do with some fundamental problems with the way that business leaders run their security programs and manage human resources.
If you're one of the majority of leaders who report in industry surveys that you can't find good security talent, here are some likely reasons why.
You Look For Very Specific Skills
Pundits say that colleges must train graduates in 'cybersecurity' skills - heck, some even want kids in middle school and high school trained in cybersecurity.
The difficulty is that this specific skill set is a moving target - actually a large number of moving targets, because it encompasses a diverse set of specialties. As the threat landscape changes, cybersecurity demands change, and once-valuable certifications or cybersecurity degrees grow stale.
What doesn't grow stale is fundamental knowledge in some key competencies: risk management principles, network architecture, software design and programming, and data science.
Unfortunately, when the industry fixates on recruiting for very specific skills - whether that's a specific technology or a degree that's laser-focused on cybersecurity - it counts out a whole pool of smart recruits. There are lots of candidates out there with a solid grounding in those fundamental key competencies and an aptitude for learning on the job. Such candidates would probably make fabulous infosec pros with just a little bit of development.
"We don't hear about engineering firms bemoaning a lack of people with degrees in bridge engineering, or architectural firms complaining about a dearth of graduates with degrees in skyscraper architecture. The military doesn't cry out that it can't find recruits who are already trained in combat," writes Ira Winkler, president of Secure Mentem, in a spot-on piece last month in Computerworld. "Why, then, do so many government agencies and private-sector enterprises bemoan a lack of cybersecurity professionals?"
Rather than seeking out a very specific laundry list of cybersecurity skills, organizations would have more success building a staff by seeking candidates who demonstrate a few targeted fundamental competencies and the grit it takes to learn the rest on the job.
You're Looking For Unconventional Thinking In Conventional Places
Winkler's point is that the best security professionals tend to come from somewhere other than security. If organizations want the kind of unconventional thinkers who can shadow-box with attackers, they've got to reconsider the conventional places they're looking for employees.
"(We must) change the way we approach recruitment," says Monzy Merza, chief security evangelist at Splunk. "Experts who will solve some of the greatest security challenges won't always come from top-tier schools with post-graduate diplomas, so it's important to look beyond the resume."
This means looking for talent in unlikely places, he says, such as hackathons or "capture the flag" events. Similarly, consider looking for talent in other disciplines and departments. For example, data science is an increasingly important skill, because security teams must analyze increasingly large data sets to correlate events and pinpoint malicious behavior. Creative security leaders may find it is easier to recruit a data science guru from the business analytics team and pair that person up with experienced security staff than it would be to look for a "perfect" recruit with both security and data science skills.
You've Fallen In The Cert Trap
A corollary of the too-specific skills requirement is the over-reliance on certifications to qualify candidates.
"To be good at infosec, one must be smart, detail-oriented, imaginative, and audacious," says says Nick Selby, a former analyst with the 451 Group and long-time information and physical security professional. Selby says he means no offense to the plenty of smart colleagues who have security certifications, but that the ethos of certification rubber stamps runs contrary to the entire security mindset.
"The purpose of certs is to assure corporate weenie types that the guy you're going to hire has those qualities, but is also reliable, sustainable, predictable and won't grow psilocybin in the mold under the break room sink," he says. "These are almost mutually exclusive, but to make security palatable to the executives, we compromise our values."
This is not to say that organizations need to give up on certifications entirely, but clinging to them as hard-and-fast requirements is a surefire way to create an internal security skills shortage even if there's plenty of good people to be had.
Your Salary Expectations Are Unrealistic
There's a great piece from CSO magazine last year by George Hulme that shows that one of the biggest reasons organizations aren't able to recruit quality talent is that they just aren't willing to cough up the dough that these candidates rightfully demand. The skills shortage is actually a shortage of people willing to work below their market rate.
Industry analyst Daniel Kennedy of 451 Research sums it up for CSO, stating, "It's a very interesting job market dynamic. Enterprises complain that they can't attract talent, they say that they can't keep talent, and [they say] they've tried everything to do so except salary raises."
This goes not only for recruiting, but also retaining those motivated staffers who have done the work to improve their skills on the job.
Your Culture Plays The Blame Game
"Many security teams find the constant pressures from the 'blame culture' of corporate America too intense, and the fear of getting fired for a breach often takes its toll," Merza says.
Too often, security roles are created for people to act as corporate totems rather than meaningful change agents, and they lack the executive support, authority, and adequate budget needed to get their jobs done. This is a total scapegoat situation and one which seasoned security pros can sniff out pretty quickly. It'll have them running for the hills, either during the interview process or pretty shortly thereafter.
You Throw Bodies At Your Security Problems
The reason it is so easy to believe there's an actual shortage of skilled security professionals on the market is because every security practitioner has felt the pain of being stretched too thin at some point in their career. We get it: There's too much to do with too few man-hours on the roster.
However, the scale at which the attacks are launched against organizations today puts security teams in an impossible situation. There will never be enough security people on staff to handle the threat landscape without changing the security program's modus operandi.
In other words, if you respond to problems of scale by throwing more bodies at the problem, rather than by automating, optimizing operations, and looking for creative ways to tap into the security talent pool, you are always going to feel like you don't have enough hands on deck.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.