The coming security talent crunch: An enterprise IT survival guide
There's plenty of opportunity in the job market for security professionals, but there's a woeful shortage of them to fill those slots. Add to that the fact that the skills of many network security warriors are not keeping up with their adversaries and you've got a serious problem facing IT in the coming years.
In 2014, nearly a quarter of a million job postings for security-related jobs were listed in the United States alone, according to the latest cybersecurity report by Burning Glass. What's more, cybersecurity jobs, which represent 11 percent of all IT jobs, grew three times faster than IT jobs overall from 2010 to 2014. Accompanying the growth in demand for security pros is a growing skills gap that IT departments are scrambling to address—a skills gap that's going to be severe by the end of the decade.
How will you deal with the security skills gap? TechBeacon talked to leading subject matter experts to put together a survival guide for the enterprise.
Just how bad is the security talent crunch?
(ISC)2, a provider of education products, career services, and credentials to IT security pros, estimates that by 2019 there will be a need for 6 million security professionals, but only 4.5 million will have the necessary qualifications for those jobs. The burgeoning growth of demand for security pros has transformed the career path from a narrow field to a broad one.
"It's been a very niche field for a long time, but in the last 10 years, the growth and need because of hacking has just exploded. You can't open a newspaper or turn on a TV or access the Internet and not hear about a hack," said Jim Michaud, director of cyber-talent solutions at the SANS Institute. "So what's happened is it's gone from a field that was relatively narrow and specialized to a red-hot field in terms of demand, and supply just hasn't been able to keep up with it."
At a panel discussion at the RSA Conference in San Francisco last month, Microsoft's corporate vice president and CISO, Bret Arsenault, declared that security wasn't just an IT issue anymore, saying it's now an issue for the boardroom.
"If you can imagine something going from a back-office niche to the single most important issue on the minds of board members on public companies, that kind of says it all." —Jim Michaud, SANS
Hitting the books
Although a number of universities, such as Mississippi State, Syracuse, Carnegie Mellon, Purdue, and the University of Southern California, have started to answer the call for security pros, most schools have not. "Universities take a long time to change curricula," Michaud said. "This field changes fast because the hacks and attacks change fast, so it's very difficult for universities. They're trying, but it's difficult for them to keep up with the speed of change."
Universities are contributing graduates with security skills to the workforce, but those are primarily foundation skills, noted Peter Tran, general manager and senior director for the Advanced Cyber Security Practice at RSA. "They're coming out of programs with table-stake skills," he explained. "They're filling the pipeline but not filling the back end of what's needed in skills development to handle advanced threats."
Universities aren't alone in trying to keep pace with agile adversaries. "Attacks are evolving rapidly," said Martin Nystrom, director of management operations at Cisco Security Solutions.
"There's a sophisticated, well-funded, and well-organized criminal underground which fosters innovation. We have to match that as defenders. We have to foster innovation and quick learning." —Martin Nystrom, Cisco Security Solutions
Organizations, as well as schools, have to take more seriously the cultivation and nurturing of the talent they have, said Scott Crawford, research director for information security at 451 Research. "I see schools focusing on the more technical aspects of cybersecurity and less on the management aspects of a security program, which is a good trend," he said.
A criticism leveled at security education and training is that it doesn't teach defenders to think like a hacker. Tran discounted that idea:
"Given the increased level of sophistication and the sheer scale of malcode being produced, security professionals need to think more like an artist than just a hacker. [More] creativity needs to go into looking at an attack now than before, when everything was perimeter-based."
Hiring cyber soldiers
Universities aren't the only sources for new security talent. Another is the military. For years now, all branches of the military, as well as their reserve units and the National Guard, have had cyber-defense groups. "The guys transitioning out of the military have great skills," SANS' Michaud said.
Cisco's Nystrom noted that his organization has hired a lot of talent from the military and that it has found them to have good discipline and knowledge of networks. "They still need cybersecurity training, but their terrific discipline is really necessary in a 24/7 managed security setting," he said.
One way to reduce the need for manpower in any industry is to focus automation at the problem. That might be true in the cybersecurity field, too. Crawford said:
"Automation can reduce the routine security tasks that people don't need to be directly involved in. When they're freed from those tasks, they can pay attention to the things that really matter."
Although security has made great strides in automating the detection and mitigation capabilities of defenders, it has also created the need to acquire yet more skills. "Because there's more complexity there, that's requiring more of our IT security staffs," Nystrom explained.
Nevertheless, automation can have a multiplier effect on an organization, allowing it to do more with fewer people and get more from the skill sets they already have on the payroll. "That multiplier effect is part of being a good defender," Nystrom said, "but with that increased power comes increased responsibility, because you now have the power to disrupt your whole network if you make a mistake."
Automation can expand the effectiveness of the individual infosec pro, but automation in other areas can wash out those gains. "When the Internet of Things picks up steam, everything is going to have an IP address, so the places that the bad guys can hack are going to go up by many, many multiples in the years to come," Michaud said. "When all those points of attack come online with the Internet of Things, we're going to need even more people to address them."
"With the Internet of Things, we're going to see a whole new set of product issues to worry about, so I see the demand for talent in the next three to five years going up, not down." —Jim Michaud, SANS Institute
Your friendly neighborhood service provider
Although there's no quick fix for the skills shortage, the reach of the existing pool of skills can be extended through managed security services. "Many organizations used to think they needed to hire staff for cybersecurity, but what's beginning to happen now is that security is starting to be outsourced to managed security providers," explained Marcus Sachs, senior vice president and CSO of the North American Electric Reliability Corporation and a member of ISACA's Cybersecurity Advisory Council. "A lot of that is because of the lack of individuals, but part of it is a recognition that, like in accounting, if you're a small business, you're not going to hire your own accountant, you're going to pay an accounting company to do that for you."
Such services corral expertise under a single umbrella and spread it to many organizations. "Clients typically want the provider to be a force multiplier for their workforce by adding eyes on screen to look at security data," 451's Crawford said. "If that relationship is good, then they may be asked to run the client's SIEM environment or manage vulnerability assessments."
Providers of managed security service can be especially helpful to businesses with a dearth of talent. These organizations may have cybersecurity systems in place but not know what to do with all the information those systems are generating. "A managed security company should bring some order to that and should give them actionable work, telling them, 'Here's the problem, here's how to fix it, or we'll fix it for you if you give us access,'" Cisco's Nystrom said.
Providers of managed security systems can also help organizations that have security talent on board but that may be overwhelmed by the burden of providing 24/7 protection of their systems. These security architects will know the weaknesses in their systems—vulnerable servers, unpatched software programs, and such—and may need help addressing those weaknesses. The architects may also have threat intelligence leads that they need followed but don't have time to tackle. "The managed security provider can be the hands and eyes of the architects across the network and bring their expertise and access to threat intelligence to identify what's truly malicious and what's actually benign," Nystrom explained.
Crawford agreed that the skills gap is definitely creating an opportunity for managed service providers, especially for providers of targeted services. "There's an opportunity for focused service offerings to close specific gaps rather than just broad general services," he said.
In the long run—five years or more—universities will provide the best solution to the security skills gap, said RSA's Tran:
"The generation coming out of our universities as those programs become more sophisticated and engaged in work-related co-op is the most promising avenue for solving this problem if we had time on our side, but we don't have time on our side, so the rich source of talent is going to be cross-functional recruitment within organizations and the military."
Beat the security skills gap
Demand for security pros will continue to outstrip supply and relief remains years away. Nevertheless, there are sources for talent that enterprises can mine for short-term relief.
How will your organization deal with the coming security skills gap? Share notes in the comments section below.