One of the biggest challenges in the cybersecurity field is that there aren’t enough qualified experts to manage the volume of attacks, alerts, audits, incident response drills, infrastructure upgrades and compliance reports. And that’s not even getting into threat hunting or risk hunting. So, how do we get more skilled workers and white hats on board to fight the growing number of bad guys out there?
According to Ben Johnson, chief security strategist, Bit9 + Carbon Black, steps are being taken to make improvements – technology (in some situations) helps automate things, reducing the amount of human interaction needed, programs to incentivize entrance into the information security field are being formed, mainstream exposure in the entertainment industry, such as the movie Black Hat and the TV show CSI: Cyber, increases the “cool” factor, etc. However, the industry still has an urgent need for technology professionals, analytical thinkers and engineers. For those looking to get into a market that’s currently red hot, and those looking to refresh their perspective, Johnson has identified some tips to keep in mind.
Filling the Cybersecurity Talent Gap
Click through for tips for those looking to get into a market that’s currently red hot, and those looking to refresh their perspective, as identified by Ben Johnson, chief security strategist, Bit9 + Carbon Black.
Consider how to leverage your existing skills.
If you’re a programmer, your expertise may come in handy for creating more secure software development lifecycles, or you may be qualified for a security engineering position where you help utilize vendor APIs to incorporate automation and orchestration. If you’re a network admin, you can transition into more of a network security-monitoring role. Chances are cyber defense has a position to fill that can utilize your existing skills, so expand your horizon to see how what you bring to the table may fit some of these emerging positions.
Not everyone is the starting quarterback.
Some security teams need a quarterback, but almost every team needs a lineman or a defensive back – team players to fill the foundational positions and perform the basic blocking and tackling. These roles are desirable, especially when you’re new to a position, because you get to interact with different specialists and familiarize yourself with a variety of tools before getting put in as the QB and having to call the plays. You’ll gain experience quickly and figure out where you can make the greatest contribution.
Redefine roles and team needs.
The security landscape is changing, and with it come changing needs for roles on the team. Some of the most successful teams Johnson has met are doing things with a slight twist. Almost all security hires are more like programmers, because right now the ability to leverage vendor APIs and tie information together is in high demand. Being able to write a few lines of code to filter out some of the events you’re seeing, generate customized alerts that are more easily digestible or pull in custom context and threat intelligence are some of the key reasons to have programmers on your security team.
Beyond that, think outside the box. Look to bring in financial analysts as security analysts, because these individuals are skilled at critical thinking, looking at data and patterns and leveraging multiple technologies to help reach a conclusion. Or perhaps, look to someone with a background in venture capitalism, who can bridge the language barrier between technologists and the business leaders internally to help everyone have a unified level of understanding.
Put your money where your mouth is.
The government is creating incentive programs to fill the national cyber talent shortage, but the effort should extend beyond that. If a company really wants top talent, it should put the fate of its workforce in its own hands. For example, what if it loaned a top prospect the fee associated with completing SANS classes? If they pass, they are hired by the company. The employer knows that the employee has a particular baseline, and they could count that money as the employee’s training budget. As an industry, Johnson believes we need to think more like this so we can attract working professionals and other non-college talent pools into the world of cyber defense.
Welcoming New Talent
Expand the circle.
The truth is, security circles are often filled with mild arrogance because, well, this is a field full of intelligent people doing hard jobs. But we need these circles to be welcoming. The security ninjas need to treat the white belts with respect, and nurture them so they can eventually wear a cyber-defense black belt. We need mentoring programs, free or less expensive training and improved marketing and PR efforts to let the public know that cyber security is a great career path!
You don’t have to be in security now to get a security job, and you don’t have to just recruit existing security professionals to fill your ranks. There’s a plethora of opportunity, so we just need to create more incentives, generate exposure to the broader technology and analytical thinker talent pools, and then execute.