So what is the solution?
PAY THEM WITH MONEY.
The number one issue facing cybersecurity firms is a "chronic shortage" of qualified staff. That's according to the founder of market analyst Cybersecurity Ventures, Steve Morgan. "The single biggest trend, globally, is that there are chronic work shortages of qualified cyber security staff. It's an absolute epidemic," Morgan …
PAY THEM WITH MONEY.
Actually, that doesn't solve the problem of a current and worsening skills shortage, all it does is raise your payroll costs. How quickly can we train ITSec specialists, and give them the necessary experience? I'm guessing we're talking years for good people, because the context, underlying technology and business needs have to be understood, and then IT security is a skill set built onto that, and you need experience, not just training.
Employers can stick their heads in the sand, or they can put in place long term training, development and retention programmes, which will inevitably require some tie in. Employees don't like the tie-ins, but otherwise it'll just be musical chairs, with the most disloyal employees paid most, and the higher pay encouraging people to jump ship. In the UK, I'd offer a fully funded degree apprenticeship (perhaps extending to an MSc) so that the employees are heavily incentivised to stay with the company.
You can't force people to stay for more than one pay period as a contract that tries to enforce more is classed as a human rights violation in the UK. It's also a very bad idea to make IT security folk unhappy at work as revenge is a dish best served cold.
You can incentivise "loyalty" with shares that take a couple of years to vest, but is it a good idea to use that as a mechanism to make unhappy people stay?
Employers can stick their heads in the sand, or they can put in place long term training, development and retention programmes
Training is becoming a less viable option. Due to the decline in manufacturing there are fewer and fewer trains under which to throw employees.
Seriously though, apprenticeships sound like an excellent idea.
If the pay is right, we'll have more people going into IT instead of law and finance. More IT security and fewer lawyers and hedge fund managers sounds like a good idea at this point.
Actually, there doesn't seem to be an IT shortage - just a shortage of IT staff who will work long hours for abusive managers and at substandard wages out of fear that their H1B sponsorship will be pulled.
There is no such thing as a skill shortage. By same reasoning I could argue that there is a supermodel shortage on the basis that I can't find one willing to date a balding, middle aged, overweight, flat broke sysadmin, which is clearly bunk.
Pay peanuts, get elephants in the room.
If you want an understanding of Cybersecurity you have to explore the darker areas of the web. Malware and exploit code sites. You have to understand how these are used in attack mode to learn how to detect and defend.
And every time you look at these for White Hat hacking puposes, to get into CyberSecurity, the Feds lock you up and throw away the key.
So the only games in town are the Spooks writing malware to hack their own citizens, and the malware writing scum who do the same for profit.
Trouble is, we're unlikely to take a job with an outfit which uses the term "cyber" with any degree of seriousness. Why? Because the term "cyber" as a technical term is only used by gullible idiots with zero clues who are inherently a pain in the ass to work for. Usually worse than doctors and lawyers, even. And that's difficult.
I've been offered a number of security jobs and on closer examination they all turned out to involve form-filling, box-ticking and writing screeds of arse-covering documentation. It's not really the kind of job that anyone would actually want, particularly if they're going to be the sacrificial goat when the inevitable happens.
What's the solution? The only ultimate solution is to have less vulnerable systems: there are going to be orders of magnitude more of them and they're going to be increasingly critical to the maintenance of life and it's simply untenable for them all to require their own Praetorian Guard.
Simply changing the law so those EULA clauses about limited liability have no validity would rapidly change the landscape.
That really needs to happen!
And the security industry has to stop pushing snake oil 'solutions' that haven't solved anything and start pushing solutions for secure architecture, design and coding. Most of the 'Top This' and 'Top That' coding flaws are either validation or error handling problems, or stupid design/architecture decisions.
Both likely to be driven by time to market pressures and the latest rapid development fad. Look how long DevOps was around before we saw the Ooops moment leading to DevSecOps...and then the next fad will blow it all away again.
The only ultimate solution is to have less vulnerable systems: there are going to be orders of magnitude more of them and they're going to be increasingly critical to the maintenance of life and it's simply untenable for them all to require their own Praetorian Guard. ... Warm Braw
Those less vulnerable and virtually protected SysAdmin with security newly provided by their own Praetorian Guard and Guardians/SMARTR Black and White Hats, is AI on a CyberSpace BasedD AIMission ..... for Perfectly Immaculate AIDVentures.
And what if you were to know that HMG, via chunnels delivering InfoSec into Cabinet Office WeB Files, is so informed of these developments, and puzzlingly presently absent in Leading Future Virtualisation of Realities for Presentation and Projection with Media to Global Populations of Inhabitants ........ realised released in Brave New Orderly IT World Orders ....... i.e. Fab Utopias created and hosted on SMARTR WeB Screens Posting NEUKlearer HyperRadioProACTive Info to Intelligence Security with Quite Surreal APT ACTivation Code to XSSXXXX, should they wish to be further enabled and more able in Prime Primed Primary Live Operational Virtual Environments.
Would you applaud their strange absence and/or think it most strange and possibly criminally remiss of them to not question more for More MegaMetaData Supply of Immaculate Imperial Source?
:-)I Kid U Not :-)
Have a nice day, Y'all
Get with the Program, UKGNI, and show a fine lead which apparently be alien to you. You have easy enough call surely upon national security resources for securing seeding sources.
And dumbed down voters might like to ponder on this polished gem .......
A resilient financial system is critical to a dynamic global economy--the subject of this conference. A well-functioning financial system facilitates productive investment and new business formation ….. Remark by Janet L. Yellen Chair Board of Governors of the Federal Reserve System at “Fostering a Dynamic Global Recovery,” a symposium sponsored by the Federal Reserve Bank of Kansas City Jackson Hole, Wyoming
And that allied to this ...... is Root Course for AIMegaMetaData Optimism, methinks....
amanfromMars Aug 24, 2017 9:05 AM ….suggests on http://www.zerohedge.com/news/2017-08-24/did-economy-just-stumble-cliff
Surely the lacklustre performance of QE fund supply is because the credit/fiat was supplied to the wrong ..... well, it is always people and persons of interest with all manner of various vested interests to serve and server to.
A simple re-run of the strategy with that mistake rectified with supply to Altogether Quite Different Clients with the Necessary Future Ken to Massively Profit from SMARTR Returns on Investments would create quite a tsunami, even in previously thought secure and impregnable trading markets.
Care dare share a nonsensical disagreement ?
The systemic problem, and inherent Achilles Heel weakness which delivers catastrophic vulnerabilities for penetrations testing and mass indefensible zeroday exploitation, is the executive administrations requiring secure elite protection are both corrupt and perverted to server continuity of a status quo arrangement rather than provide a better beta future reality.
Such a convention and tradition is unnatural and alien to progress, and therefore guaranteed to always fail?
One of the issues often seen is that "management" are keen to be known as "experts" but do not have the aptitude or passion for the subject.
Once you get "management" to understand that they have to recognise that those with the correct aptitude and passion for the work should have money spent on them to obtain qualifications rather than "managers" who use the cash to attend "cyber" conferences, then you might, just might, get an improvement.
And Senior Management also need to start understanding that they need IT managers in place who also have an aptitude and passion for the work - and these need to be listened to. So often you see IT Dept managers who have no operational interest or ability but know who to appease Senior Management as that is where they have set their target to get to.
The problem is currently the nearly all the jobs for infosec require experience in another job doing it.
What if your a junior level and want to move up with on the job training?
I would love a job in infosec but finding local and pay packet enough to pay for a wife kids and mortgage is near impossible with out some sort of cert that is 3 grand or more!
How exactly is anyone qualified in information security?
CISSP? Yeah, that's awesome. I'm sure a whole bunch of CISSP'ers could really sort your business out... providing the missing piece they needed was how high a frikkin fence should be.
CEH? Brilliant, you can break lame networks in a lab, but can you fix them?
Apart from certifications in quality management what seriously is out there?
Oh maybe some vendor certs... whoop.
I'd argue that in many cases the "fix" should come from developers of the apps/firmware etc and management, not from the person testing it - otherwise you are literally marking your own homework.
CEH I have and it's garbage. Waste of money, grab a couple of linux books, Kali distro and go play for a couple of days in your own little VM lab, you'll be miles ahead.
CISSP is fine for what it is.
CISM is a good one if you are in a less technical role that allows you to use it, in other words where management actually listen (lol!)
Someone who wants to do security properly must be able to put him or herself in the mind of the people they're defending against. I know someone will know who I am because of the next statement: people who are good at security start from a position of having a grey mind, and actively choosing for the white side. But they need that dark side to stay in tune with what a bad guy would come up with and proactively shut that down.
If you want to employ security people, you must understand that duality as well as that choice. If you're smart, it should both worry you and encourage you. The worry is because that sort of talent needs leading, not "managing", to maximise its benefit to your company, the encouragement lies in the fact that if you have found someone like that you have found gold amongst a shocking amount of lead. That gets even harder if you need to find a leader for these people because at a minimum they need a fairly dark and non-PC sense of humour - think Jimmy Carr or Frankie Boyle.
However, especially large companies have a MASSIVE problem here: traditional HR approaches won't find the good guys, also because HR sees a company as a stack of horizontal layers and security people tend to cross that stack vertically. Tick box processes count for very little because it requires human skills, the ability to read between the lines of a CV and pick up clues from a discussion. It really takes one to know one, especially if you want to find the *good* ones.
The IT skills are not what makes a good security specialist, it's the aptitude at applying those skills and the motivation for doing so that makes the difference between a threat and an asset.
A big part of being qualified to do anything, including cyber security, is getting a substantial amount of work experience in the field.
Taking courses and getting certifications is just a start. It doesn't make you qualified. You need both education and experience. And getting experience is where the problem is.
When an aspiring cyber security professional looks for a job to gain experience in the field. Then employers tell him that he doesn't have enough experience. And they reject him. After many rejections, he gives up and finds something else to do.
An inexperienced worker cannot be hired, because he has no experience. But the only way he can get experience is to get hired. There is no logical way out of this infinite loop for the inexperienced worker. And anybody who is good at programming will recognize this right away.
It doesn't make sense for people to get into an infinite loop like this. And that's why people, who might be good at cyber security, are staying away from it. And this isn't just about cyber security. The whole IT industry has a problem like this.
The trick I learned to overcome this obstacle was to apply for jobs where my previous experience only counted for 1/2 of what the new role requires - then added in a commitment to learn the other half asap.
Once you've done that a few times you have a track record to point at to say 'see - I did the same thing here, and here, and here - so trust me, I can learn the rest'.
After a while I found I had enough experience to be considered 'qualified', even though I still take jobs where I only 1/2 know what I'm doing ;)
Disclaimer: This doesn't help getting onto that first rung, but basic certs like CCNA can help a little there. You don't get to the top overnight - well, I certainly didn't at any rate.
One of my stock interview answers goes as follows:
Interviewer: How much do you know about x?
Me: Not a lot, but ask me again in a few days and you'll get a different answer
Then, following the interview, read up on the topic, discern some pertinent points or relevant bits, then mail the interviewer (via the agency if necessary) with something that shows your understanding and enthusiasm.
Free training is everywhere these days, from overthewire.org to aws free tier. Write blog posts, make github contributions, use social media. Experience isn't purely from the job itself.
I suppose, there are various clever ways to overcome this barrier for entering the field.
But it's like people need to weasel their way in, with employers looking at them with a lot of suspicion and distrust. This kind of thing is undignified. And it's sure to turn off some of the best people, who have many other opportunities.
Why would a really clever guy try weasel his way into a cyber security job, when he can study medicine and have a clear path from school to work?
I realize that nobody is doing this on purpose. Everybody is behaving in a way that looks logical and reasonable to them.
If you look at it as a computer program, then you can't point to any individual line of code and say that this is what's causing the problem. Because the problem is spaghetti code. It's slapped together without any rhyme or reason. It works in a way. But it's difficult to change. And it's causing a lot of problems.
What would be useful is to have some easier lower rungs of the Information Security career ladder, with a little more practical knowledge rather than just theoretical (CISSP is about learning the jargon as much as learning about security processes). Making security qualifications modular would be helpful, rather than some of the somewhat monolithic approaches at present. An Information Security apprenticeship scheme might be an idea.
Obviously there will be people recruiting looking at this thread: what qualifications at entry level are useful? CompTIA?
I have donkeys years of "cyber-" (dislike that word) security experience. This is basically because up until recently it was always seen as a hateful drudge job that nobody wanted to do and (as the least unwilling peon) I always got lumbered with. Now there are so many organisations who claim to be desperately short of cyber-securititians, but what they actually are looking for are pen-test script runners and box-tickers. No way am I getting suckered into that.
Now there are so many organisations who claim to be desperately short of cyber-securititians, but what they actually are looking for are pen-test script runners and box-tickers. .... Joe Harrison
Methinks leading box for ticking makers is more the skill set sought, Joe.
I can't tell you how many times I've been offered lateral moves with higher pay. Why would I do that? I've been working professionally in Information Security for 12 years, not going to work for some wank with less experience. Stop wasting my time with your lame HR algorithms that decide what kind of job should be offered to a potential candidate. Those algorithms are unintelligent, that is why you are missing out on talent. <Drop the mic>
if they would start burning criminals to death in public display, there would be less crime, and less security people needed. But the world is run greedy assholes that should be on that display, so it won't happen. Fuck sake, the biggest employer of IT people are the most criminal - CIA and NSA. fuck working for the mob like that, it can have no good ending.
Sounds nice but curious to hear from fellow readers. When you treat tech workers like plumbers, training is often the first thing to go... So how much actual training was provided by corporations you worked for in the past decade etc? In the 90's training was decent. Early 00's less so, often just drip fed... But the past decade, non-existent with constant salary freezes.
They are happy to train their Sales staff, but IT - FORGET ABOUT IT.
Train yourself and get worthwhile experience under your belt, do the projects you need to - to acquire the skills and experience. Change jobs, learn and lot and be up for any challenge to increase your skills and experience.
Cheers guys, love IT, the business won't change - change yourself and keep moving onto bigger and better things. don't be complacent.
You can't do a course and know 'infosec'. I'd been doing it for 12yr before I got 'qualified' with a CISM. Am I any better at the job now. No, it's a Mickey Mouse bit of paper just like CISSP and all the rest.
I've been asked a few times if we would take on someone with a 'cyber security' qualification into a security job. And the answer is almost always 'no' you don't need certs you need experience. and the courses being done seem to obsess over pen testing. I don't really care about that, I pay nerds to do that for me. I need people that can take the output and work the mitigations into the business.
If you work in HR then it's all about the certs.
That's why in the sub-continent graduates are sitting exams like crazy for certs. Do they actually know anything outside the book? No. Can they relate security decisions to business risks, 'no'.
And the money being offered is crap. The last story on El reg about this was touting figures of £85k for infosec bods. Most of the jobs I see advertise below C-level are more like £35k.
There's people who use "Open Source" and "Open Firmware" so there is no "Chronic Shortage" the chronic shortage is having no-body to recognise that fact and employ them in highly well paid possitions, looking after your entire enterprises IT or ICT need's, which is saddly never going to happen whilst you listen to a load of lies from Microsoft technicians and they quietly murder "Open Source" and "Open Firmware" killing off threat's to it's buisness model like IBM's PowerPC line of "Open Source" and "Open Firmware" chips whilst promoting a line of Power in-efficent processors (Intel & AMD) with no RISC-V instructions. They really brought it upon themselves that nobody trust's them anymore and they've harmed technology irreversibly as a result!