Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we are going to discuss a topic that is on the minds of several employers out there. That topic is the cyber skills shortage. First, I want to mention that I do not believe the shortage is as extreme as industry leadership seems to think, but having said that I do believe there is a shortage that needs to be addressed.
To clarify my first statement about industry leadership, many organizations have lamented the lack of cyber-skilled talent available and the amount of openings across the field. My main issue with these varied statements has to do with their search criteria. Instead of looking for specific traits (work ethic, motivation, initiative, assertiveness), they search for specific keywords, specific skills that can be taught.
Yes, for contracting companies sometimes the clients require (or THINK they require) specific skill sets in order to be successful or in order to maintain security properly. This is an area where communication is key; if the contracting company can ensure proper skill training of a new recruit, then looking for the traits versus the skills could be even more successful and lead to quicker “coverage”. That is a more in depth discussion for various contracting companies, however, since service level agreements are tied to many contracts. Finding the right skills that can ensure that SLAs are met can outweigh the desire to bring in potential over experience.
I do agree that there is a skill shortage in the fact that technology is advancing at simply too fast a pace to keep up. Convenience has long outweighed security, and as fast as organizations develop conveniences like IoT devices there is a threat actor out there looking to corrupt that convenience for their own personal gain. Often this is occurring faster than security professionals can protect said devices. Oftentimes security is still pushed to the back burner in favor of quicker development and quicker release.
But, that takes me in a slightly different direction than the one we are currently addressing. Universities across the globe have incorporated cybersecurity into their curriculums. Many offer completely specialized degree paths that prepare future cyber warriors to hit the ground running. So, why the shortages? Why is this such a problem?
Think about the questions, and inject some critical thinking into the response. Try to think of a career field, ANY career field, that is not somehow connected to the internet. I have heard answers ranging from waste management to park ranger to crossing guard, but in all actuality each one of those is connected to the web. How? Timekeeping, human resources, accounting, all the back-end services of those particular career fields has connections to the web. So again, use critical thinking skills here and think about the question.
The answer is semi-simple. Every day more and more devices, applications, organizations, and people are connecting to the web. The result of that is that threat actors have more and more targets to choose from and a more diverse range of targets to choose from. Oh, and more and more threat actors are connecting as well. Sometimes those skills that are learned are just too tempting to use for personal gain, so not all cyber skill is used for the benefit of others.
If this were a risk management discussion a chart would show the exponential increase in cybersecurity risk based on the above statements. More things connected means more things that require protection. Imagine a town of 1000 people and a police force of 50. One law enforcement officer for every 20 people. Yes, yes, this is a rather unlikely ratio, but getting away from that particular argument, again, focus on the math. That town of 1000 overnight grows to a city of 10000. Again, overnight, the city grows from 10000 to 100000. Is the police force going to be able to grow as quickly? If it takes weeks or months to train up new law enforcement officers, can that pace be kept up with?
So, in cybersecurity terms, how quickly can motivated individuals learn cyber skills? How quickly can seasoned IT professionals switch career paths and learn cyber skills? Hate to tell ya, but its longer than a day or a week. So, even the most motivated, assertive willing student will take time, and during that time more and more “things” are connected making the deficit larger.
I don’t mean to paint a bleak picture. Think of it this way; there is plenty of work to do as a cyber professional in dang near any realm of the cybersecurity umbrella, so your skills will definitely be used to their potential. Cybersecurity is not a phase that will be going away. There are so many different facets within cyber that one will have ample opportunities to learn new skills and hone existing ones.
GuardSight is slowly changing the narrative related to the skills shortage by hiring based on potential. Remember those specific traits we spoke of earlier? Work ethic, initiative, motivation? Yeah, those traits are a few that GuardSight looks for in potential candidates first, skills and experience are second (and not required). When you find those personnel that have those traits, training them up with the skills they need to succeed as cyber professionals does not take long and sets them and the organization up for long term success.
We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight can do for you, head on over to www.guardsight.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!