Confronting the widening infosec skills gap

15.05.2015
The unemployment rate for information security professionals is essentially zero.

For individuals with the right skills, that's probably enough to break out the champagne -- a guarantee of lifetime job security at good wages.

But organizations in general, both public and private, are stuck dealing with the very large cloud in front of that silver lining: Nonexistent unemployment means there are not enough people with the right skills to protect them from the multiple online threats they face daily.

The size, number and sophistication of attacks continue to rise, while the number of trained security professionals is not keeping up with the demand.

[ SPEAKING OF GOOD PAY Symantec CEO among highest paid chief executives ]

The "skills gap" alarm is being sounded from multiple directions. The Enterprise CIO Forum recently cited an infographic from Norwich University's Online Information Assurance Program, which ticks off the reality in a list of statistics:

Elsewhere, at a symposium last month on command and control and countersecurity organized by King Saud University in Saudi Arabia, Mark Goodwin, of Virginia Tech University warned the audience that, "some reports say that we have globally less than 1,000 people who are truly qualified, whereas we need over 30,000 to address the problem."

Cisco's 2014 Annual Security Report puts the worldwide shortage of infosec professionals at 1 million.

David Shearer, executive director of (ISC)², which has been tracking the workforce shortage for more than a decade, said it will get worse. He said he expects the gap between the demand for infosec professionals and the supply to grow to 1.5 million by 2020.

Montana Williams, senior manager, cyber security practice at ISACA (previously known as the Information Systems Audit and Control Association), said one report he read said the shortage is already at 4.5 million.

(ISC)²'s latest Global Information Security Workforce Study (GISWS) found that, "62% of nearly 14,000 respondents (up from 56% in 2013) reported that their organizations have too few information security professionals," even though they had higher budgets to hire more people.

He said the major problem has shifted from a lack of money to, "an inability to find the right talent.

"The main issue is that technology is advancing at a far more rapid pace than our ability to secure it," he said. "Everything from medical records to household devices to automobiles is going digital."

One obvious question about the growing gap is why it seems to be taking both the IT industry and organizations in general, both private and public, by surprise. After all, security threats have been around for decades, and have been expanding exponentially in recent years.

Besides career security, the field also offers better-than-average pay. A recent salary survey by Computerworld found that from 2013-14, average pay had increased by 6.7 percent for CSOs, from $155,221 to $165,600; by 5.3 percent for infosec managers, from $112,509 to $118,484; and by 3.5 percent for infosec specialists, from $87,605 to $90,696. (More from that survey targeting security pros, see Money on the mind of security pros.)

Still, Bobby Dominguez, CSSO of Lynx Technology Partners, said he thinks organizations were a bit blindsided by the acceleration of attacks.

"I don't think it was really recognized as an issue until the breaches became headline news," he said. "You can see the steep climb coming in mid 2013, especially after the banking industry began to experience distributed denial of service (DDoS) attacks."

He said government regulatory requirements over the past couple of years also increased demand, and then, "once the private sector became affected," demand spiked.

But Dominguez said another reason is the increasing sophistication of attacks, which has required a "skills shift" away from "passive" security.

"The real skills gap started when security departments began to augment their programs to include malware reverse engineering, forensic analysis and threat analytics," he said. "This was driven by the attacker's increased use of customized, targeted attack malware and sophisticated, blended techniques that were difficult to detect among the normal noise of security events in a network."

Williams said he thinks part of the problem is that in spite of the demand and good pay, awareness of it hasn't trickled into the nation's educational system. There isn't much focus, he said, on technical careers.

"We've lost the 1960s focus on being a rocket scientist," he said." You hear college students talking about being doctors and lawyers, but nobody says forensic analyst. It's not talked about in the mainstream."

Added to that, he said, is that at the middle school level, "most teachers have general degrees, so they tend to shy away from technology. They're afraid that if a kid asks a question, they won't have the answer for it."

But, with growing awareness of the gap, there are now multiple efforts to address it.

Shearer said (ISC)² is working with both public and private educational institutions to, "embed cyber into their courses, particularly within IT, now that we are seeing so much more security activity managed at this level."

One of those initiatives is the Global Academic Program (GAP), which promotes industry-academic cooperation to bridge the workforce gap.

"Last year, we developed a report from the (ISC)² Foundation and the University of Phoenix to highlight the challenges posed by the shortage of cybersecurity professionals," he said.

Williams points to initiatives like the National Association of Cybersecurity Education, launched in 2010, "to get the whole nation aware of the threats that exist."

He said one of the goals is professional development for teachers so they can "infuse cyber education into their existing curriculum, from literature to math and social sciences."

But he and others agree that it will take more than high-school and college courses to deliver the level of skills needed.

Aaron Cohen, COO of the Blackfin Security Group, said one of his firm's initiatives, called ThreatForge, provides threat simulation training that seeks to come as close to real-world attacks as possible.

"There are extremely talented people within organizations," he said, "but it's hard to take some one in a systems administration role and make them a security expert."

Education is useful for learning the basics, he said, "but there is no replacement for on-the-job training. You can't just throw somebody into the fire."

And he said security threats change so quickly and significantly that it is hard for traditional educational institutions to keep up.

"Handing somebody a book or labs from several years ago isn't really going to work," he said.

That is also the message from Williams. "Cybersecurity skills are perishable," he said. "It requires hands-on, constant training. We need skills-based training and performance-based evaluation. Instead of studying a book and taking multiple choice test."

He said the speed at which threats change is dizzying. "In medicine, things might change every year," he said. "In cybersecurity, they can change every 10 seconds.

He said some of that need is influencing education, in the form of competitions among high school and college teams defending networks against simulated real-world attacks. "The National Collegiate Cyber Security Defense Competition even offers scholarships, just like for football," he said, adding that students in such programs are qualified for entry-level positions with the National Security Agency or Department of Homeland Security on the day they graduate.

The other reality, however, is that security is a life-long pursuit. Dominguez said it is important for organizations to realize that it is, "not a project with a discrete start and finish. It is a process that continues to evolve, as do the attack methods and threats."

So, amid the ongoing efforts to close the skills gap, there are likely to be ongoing challenges.

Dominguez said finding qualified security experts, "is even more of a chore now because the good ones are employed.

"I am generalizing here -- this is not true of all those seeking employment in today's market -- but those in the market are primarily those that do not have the deep technical skills," he said. "To grab top talent, you have to outbid the competition and offer more incentives."

Shearer also said the shortage will continue to create difficulties. "We will see a heavier reliance on technology -- automated processes -- for security," he said. "Breaches will certainly continue, with more sophisticated attacks and less personnel to mitigate the damage."

(www.csoonline.com)

Taylor Armerding