Why We’re Facing a Resource Gap
July 22, 2020
25 min read
Many studies have shown that there is a talent gap in cyber security and given the current state of cyber security’s talent development practices, it’s not surprising.
This talent gap is a contributing factor to the overall resource shortage as well as a lack of diversity throughout cyber security and technology companies as a whole.
This article explores the common issues in talent development and cyber security across three categories: the common approach to talent development, current hiring practices, and legacy cyber security dogma.
Approaching Talent Development
The Current Educational System
The current approach to developing talent in the United States goes through elementary, middle, and high school, preparing students for the goal of attending and graduating college. Many students that attend college of course end up in significant debt because of it.
While college graduates get overall domain knowledge in a discipline aligned with their major like information technology or even cyber security, they rarely get the real-world insight they need to work in an actual job.
This job performance capability is what many organizations want, especially in a demanding industry like cyber security. As a result, many college students often struggle to find work upon graduation, making their debt situation worse.
From a diversity perspective, this system creates exclusion early. This can be caused by the quality of the schools that people have access to early in the educational system, which could hinder their ability to qualify and prepare for college. Exclusion can also happen at the college level from a financial perspective, especially given the costs of applying and the costs of paying for a four-year education.
The Perceived Identity of a Cyber Security Professional
If you were to search for an image of a hacker on the internet, almost all the results would be of white males in hoodies with some nod toward technology. It’s difficult to get a diverse, non-technical pool of people into the discipline if this is the image often conveyed of cyber security professionals.
What’s worse is that cyber security is mostly working with people, even in the most technical job roles. People with non-technical backgrounds can be incredibly successful in the industry, but many stop themselves from applying because they think they aren’t qualified.
Lack of Support for Common Roadblocks
There’s often a stigma in our society regarding discussing roadblocks that people face in getting employment. We often want to avoid discussing things like housing insecurity, financial considerations regarding accessing healthcare, technology, childcare and more.
We often place the onus on the developing professional to address these issues on their own as they develop their skills or look for employment. Doing this alone makes it challenging to solve these issues while simultaneously developing their skills, but this is precisely the expectation we have of people seeking to enter the security discipline.
Even after employment, when support in resolving these issues might be more critical, there’s still a taboo about discussing financial or personal needs that employee must meet. This averseness to providing personal support only makes diversity issues worse, as many of these roadblocks are distributed unevenly based on race, gender, and ethnicity.
Educational Focus on Domain Knowledge
Early educational programs in the U.S. tend to focus on high-level, foundational information about a discipline. Cyber security-specific training programs and certifications such as the CISSP or other technical certifications are no different. They focus on providing domain knowledge in cyber security, but neglect to talk about what aspiring professionals need to know regarding tasks in specific job roles.
It’s like teaching people about the discipline of race car driving rather than teaching them about how to conduct a specific job in car racing, like changing a tire.
If individuals want to find work quicker and become more hirable earlier, education needs to shift to role-based training rather than focusing entirely on domain-level knowledge.
Use of Apprenticeships
In theory, apprenticeships are great. They provide more than high-level domain knowledge or instruction to individuals looking to enter a specific job role, but they have a major flaw that makes them unappealing or difficult to use in cyber security.
Often, only individual participants in these internships get any value from apprenticeships. This comes in the form of on-the-job training. The organization hosting or providing the internship doesn’t receive as much value, especially if security resources are taken away from their day-to-day tasks in order to work with apprentices. In cyber security teams where resources are already over-allocated, this makes taking on an apprentice an extra burden rather than a benefit to the organization.
This occurs in nearly every industry, but it’s especially evident cyber security.
Organizations often only design positions for senior-level roles in many security programs, requiring at least three years of experience. This excludes almost all newcomers to the industry, especially if they haven’t had an opportunity to get hands-on work experience.
Kitchen Sink Job Descriptions
Cyber security is often in the eye of the beholder, and the job descriptions organizations write reflect that.
Looking through any job board for cyber security could make your head spin as each job has a huge number of requirements. Many of these can only be fulfilled by senior-level professionals, excluding a large pool of people that might be interested in taking them.
It’s difficult to find or create a professional development program that can turn someone into a super-cyber professional, but that’s what it feels like you need to do in order to meet the common requirements in these job descriptions.
This problem is only exacerbated with the way that job boards and job matching technologies connect applicants with opportunities. Many of these solutions utilize search and match technology, which means hiring organizations often cast a wide net to try and find someone that matches the terms used in job descriptions with applicant resumes.
This means that many developing professionals are forced to get certifications so that they meet common requirements, but we’ve already discussed how these might not help them get the skills they need to be effective at a given role.
Legacy Cyber Security Dogma
Senior Professionals are Stuck with Junior-Level Work
This happens often in organizations — for example, a senior technical engineer implements a complex technology, a normal senior-level task, but then becomes stuck performing all the tasks related to phishing. The problem is that many of these phishing-related tasks might be better suited to a junior-level resource.
Many cyber security programs don’t delineate between junior-level and senior-level tasks, which means many seasoned professionals end up spending most of their time on junior-level activities. To make matters worse, these junior-level tasks occur very often, making them more time consuming.
This constant demand of time for low-level tasks is what leads to frustration and burnout in senior team members, the last people you want leaving your security team.
Lack of Task Mapping
Cyber security is getting better at taking this on with programs like NIST NICE, but historically, security teams haven’t mapped out the tasks of the most common roles in cyber security programs. This makes it harder to consistently create effective professional development programs, since it’s not always clear what individuals should prepare for in the work environment.
The Necessary Skills
As discussed earlier, cyber security has a reputation as a solely technical discipline. However, many of us working in this field know that the most successful security professionals need to have skills in learning, teaching, writing, presentation, and working in teams to execute security projects. These skills are often more valuable that domain-specific knowledge.
Since security is in the eye of the beholder, cyber security professionals must be able to learn about the perspectives of other people like stakeholders and business leaders as well as effectively communicate their own perspectives from a security standpoint. Most of this communication requires written and verbal presentation.
In the common organization, over 95% of employees will not have strong security skillsets. In order for security professionals to be successful in their roles, they must be able to work with and educate non-security people. This again calls on communication and execution skills beyond the technical ones.
Developing Strong Cyber Professionals
If cyber security is going to address the talent and diversity gaps in the profession, we need to start by addressing these common issues. The CISOSHARE team has been developing a new approach with CyberForward with the goal of bringing more people into the cyber security industry.