Contributed by Kall Loper, Vice President of Digital Forensics and Incident Response
Where Are All the Cybersecurity Professionals?
In searching for a few pithy quotes about the lack of available cybersecurity talent and rapid increase in threat activity, there are thousands—hundreds of thousand, if you believe Google—of articles, reports, and op-eds that speak to this challenge. The lack of cybersecurity talent is neither a new nor unexpected problem. Yet, we still don’t have enough cybersecurity professionals.
I started researching cybersecurity topics through digital forensics and threat actors in the mid 1990s. My research has been published, quoted, and largely ignored as much academic research is. In 2000, I opened a consultancy as a side job to my career as a professor. By 2006, I left a position as an academic department chair to pursue that consultancy full time.
My background in both academia and the corporate landscape shapes my perspective and years of consideration poured into the two popular assertions:
- Cyber threats are increasing in frequency and impact
- We need more cyber security professionals
With Cybersecurity Awareness Month underway, this is an important moment to reflect more deeply on the causes to these two facts—and also chart the path forward to narrow the gap in our cybersecurity talent.
Why Isn’t There Enough Cybersecurity Talent to Meet Demand?
Academic programs and corporate needs are misaligned
Academic programs are not equipping students with the skills they need to hit the ground running at the corporate level. Several factors—including limited access to data, siloed discliplines, and academic politics—are driving the gap.
Academic research lags in key areas such as ransomware prevention, mitigation, and recovery largely because academics do not have timely, consistent access to data. In the corporate world, cybersecurity practitioners have real-time access to the latest threat intelligence and the full ransomware attack life cycle, including the essential business recovery phase. Because the corporate world is structured to seek advantage over competitors, however, proprietary information is often held back—and thus not readily accessible to academic programs.
On the corporate side, employers struggle to find professionals with certified and tested skill sets ready to meet a need for immediate competitive benefit. To fill this gap, private organizations often provide cybersecurity training and certifications with varying degrees of depth and substance. While almost universally adopted among corporate cybersecurity professionals and their employers, the costs are high—in some cases, comparable to universities in cost per contact hour.
Both universities and private enterprise have failed to resolve the prisoner’s dilemma. Briefly, that dilemma is that as cooperation and alignment between the two yields more total good, but self-interest offers more individual competitive advantage. This ultimately constricts the job market and funnels graduates into large enterprises that can absorb the burden of training.
Despite this gap between academic training and practical skills, larger enterprises often place a premium on college degrees in candidates, thus reinforcing the cycle of misaligned goals. The alternative path emphasizes reliance on the social fit of a new professional seeking mentoring or simply training to fill the gaps in their education. This has profound implications for reinforcing existing clusters of professional characteristics in the field and restricting diversity of thought and talent source alternatives.
Siloed skillsets limit diversity—and critical thinking
Siloed skillsets and knowledge bases are another feature of academic life that can inadvertently limit cybersecurity talent. This has been under meaningful attack since the late 1990s when the NSA started requiring multidisciplinary participation (Criterion 4) in their Center of Academic Excellence (NCAE-C) program. For numerous reasons, both good and bad, we resist integrating our disciplines in teaching and research.
Problem-solving skills are often constricted by these siloed disciplines. Skilled coders from computer science programs often lack basic knowledge of enterprise IT architecture or the business purpose their code serves—which can prove essential to a comprehensive cybersecurity posture.
There is a truism stating the diversity increases resilience. When the pandemic accelerated reliance on technology, IT teams struggled to accommodate business needs. In many cases, this came at the expense of thoughtful security. At the same time, widespread adoption of automated defenses like endpoint detection and response (EDR) tools made the propagation of malware more difficult.
Ransomware threat actors met the technology challenge by exploiting poor practices, training, and architecture. They were able to shift away from pure malware attacks to a business system and architecture-enabled attack on identity and access. These capabilities are technical but require a nuanced understanding of the business processes that shape them.
Business, MIS, and Law Schools offer a more diverse selection of candidates and train them to expect different rewards that motivate them. In the realm of corporate incident response, engineers are certainly needed—but so are many other skillsets as well as the communication and leadership skills to bring them together.
Constricting forces on people reduce available talent
While the course of an individual’s career is not bound by group membership, it is a powerful predictor of outcomes. People gravitate toward rewarding experiences when they make choices in their career paths. They bring different resources with them when they approach those choices; thus, potential professionals both well-prepared for and with access to college are more likely to achieve their ambitions.
Career paths and skills cluster around personalities, preferences, and often preparation, but these are shaped by affinities for particular rewards shaped during education. For example, our preparation in engineering-based cyber security rewards and praises technical problem solvers more than consensus seekers and collective decision making found in fields with greater diversity.
Building Cybersecurity Talent for Today — and Tomorrow
The cybersecurity talent shortage will continue to be a problem—but that doesn’t mean it can’t be solved. While it is a tremendous task to take on, there are digestible steps we as a cybersecurity community can take to address it.
1) Consider job candidates even if they don’t “tick all the boxes” or reassess the value of those boxes
Many companies are looking for IT talent who can hit the ground running with little to no training. But research has shown hiring for the person first and skills second generally yields better results.
The truth is, the “perfect cybersecurity candidate” is often difficult to find and incredibly expensive. Many companies are missing out on some of the best employees simply because they don’t have certain attributes that are easily and quickly learned. This is especially relevant for those looking to build their cybersecurity team. That candidate who is one year of experience short or doesn’t have every preferred certification but has a great attitude and willingness to learn could be your perfect hire.
2) Explore other communities and verticals to attract talent or mentor your staff
While cybersecurity roles certaintly require the coding and abstract logic taught at the university level, effective mitigation and response also requires awarenesss of business processes, legal judgment, and effective communication skills.
Consider tapping into other professional communities to provide training and mentorship in overlooked yet important skills—from program management to communications skills and more.
3) Bring in the right partner to build your team
Having the ideal mix of people, processes, and technology to monitor and be ready to respond 24/7 is not always within an organization’s means. Even if you have a strong cybersecurity talent on your team, your organization may not have the resources or budget to provide ongoing training and education. Engaging a cybersecurity partner as an extension of your enterprise’s in-house team can be an effective way supplement your existing cybersecurity program and optimize your business operations with an established team of well-versed cybersecurity talent.
Take the first step in transforming your cybersecurity program
Enterprise security teams are adapting to meet evolving business needs. With six global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Cyderes is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.