One thing that jumped out at me while I was at Computer and Enterprise Investigations Conference (CEIC) 2014 in May was the number of discussions regarding the lack of well-trained IT security professionals. Many of the different sessions I attended brought up this issue as one of the reasons why the bad guys are winning the cybersecurity wars. One session focused specifically on the lack of security professionals during the CEIC’s opening day’s CISO/CLO Summit.
True, the lack of trained IT security professionals is a serious problem. In March 2014, Jon Oltsik wrote in a NetworkWorld blog:
According to ESG Research, 25% of enterprise (i.e. more than 1,000 employees) and mid-market (i.e. 250 to 999 employees) organizations claim that they have a "problematic shortage" of IT security skills. Furthermore, of those organizations planning to add IT headcount in 2014, 42% say they will hire IT security professionals. This is also the highest percentage of all. In other words, more organizations plan to hire IT security professionals than any other role within IT.
Finding skilled IT security employees is the real challenge, according to articles I’ve read and the three panelists at the summit session at CEIC. According to the session’s speakers, it can take months to find someone who fits the qualifications necessary. There were calls for colleges to take action and offer more in-depth studies for coursework and majors in cybersecurity. But that presents another Catch-22—a number of the attendees at this summit session admitted they had little interest in hiring kids straight from college because they want them to have real-world experience in addition to coursework. One person stated that his firm had fires to put out now and they didn’t have time to train someone. But at the same time, he said it took them over six months to find someone with all the skill sets the company was looking for.
A Wall Street Journal blog pointed out one reason why it is so difficult to find skilled security employees:
Skilled cybersecurity professionals are not only hard to find, they’re hard to cull from the resume pile. This is an emerging role, and there is no industry consensus on the profession or how it differs from conventional information security. The National Initiative for Cybersecurity Education (NICE) is still in the midst of a multi-year process of considering whether cybersecurity is ready to be professionalized. The Bureau of Labor Statistics uses the role of information security analyst for its projections, yet many companies have highly skilled cybercrime fighters who come from other backgrounds.
The Wall Street Journal piece went on to say that there needs to be an early emphasis on STEM classes and getting kids interested in the math and science courses that make up the backbone of cybersecurity skill sets. Yet, this idea is at odds with what was suggested by the CISO Summit panel. According to those high-level security professionals, STEM courses are important, but we have to stop thinking of cybersecurity in terms of just an extension of IT. Security professionals also need to understand who the bad guys are, why they are attacking and how to anticipate their threats. Doing so requires so-called soft skills like psychology, sociology and even history. Security professionals, the panel added, also need good communication skills. One of the barriers identified in successful cybersecurity is the lack of communication between security professionals and C-level management.
After this session, I had a chance to sit down with Victor Limongelli, president and CEO of Guidance Software. We further discussed the problems with hiring a skilled security workforce. Limongelli and I agreed that perhaps one way to help solve this crisis is to create in-house training programs similar to those for new engineering and computer professionals. As we spoke, we both were hard-pressed to think of another profession where new employees, especially those with limited job experience, aren’t provided training specific for that company’s needs.
Our conclusion was that we don’t know why companies are reluctant to bring in employees with less experience and provide on-the-job training. Sure, it is time consuming, and it might cost a little more, but having someone there learning has to be better than not having anyone there at all.