Cybersecurity skills shortage, is it real?
So you in Cybersecurity, and your company has been trying so hard to find qualified Cybersecurity candidates but without much success. Your company is frustrated by the lack of qualified candidates, and the qualified candidates seem to ask for unrealistic $$$
You even interviewed some candidates and you did not like what you see.
My question is....
1) What skills are you actually looking for? Splunk? Nessus? Risk assessment? Penetration testers with OSCP? Candidates who passed GCFA and can do Memory Forensics?
2) How hard do you think it is to get a candidate and give them time to get proficient with Splunk? How is it different than, say, Network engineering where you give a candidate time to get familiar with a certain network gear? Why is Splunk so hard to master? Is Splunk the problem?
3) How crucial are those skills? Are you being unrealistic? How often do you have to do Memory Forensics (as an example) ? Do you think it's a transferable skill that a good experienced Systems/Network Engineer can pickup?
I'm just trying to understand, because I spent time in Systems Engineering and various parts of Security, and I didn't find Cybersecurity particularly harder so I'm trying to identify the source of the problem here.
You even interviewed some candidates and you did not like what you see.
My question is....
1) What skills are you actually looking for? Splunk? Nessus? Risk assessment? Penetration testers with OSCP? Candidates who passed GCFA and can do Memory Forensics?
2) How hard do you think it is to get a candidate and give them time to get proficient with Splunk? How is it different than, say, Network engineering where you give a candidate time to get familiar with a certain network gear? Why is Splunk so hard to master? Is Splunk the problem?
3) How crucial are those skills? Are you being unrealistic? How often do you have to do Memory Forensics (as an example) ? Do you think it's a transferable skill that a good experienced Systems/Network Engineer can pickup?
I'm just trying to understand, because I spent time in Systems Engineering and various parts of Security, and I didn't find Cybersecurity particularly harder so I'm trying to identify the source of the problem here.
Comments
2 - if it's a full time dedicated person who has the technical ability to work with splunk, i'd give them 2-3 years to be good with it. splunk gets deep and all depends on the log sources. cisco's logs are way different to bring in and manipulate that nessus' logs.
3 - everybody is unrealistic in their expectations, but that's because the people hiring don't know anything about security. they think they can treat it just like any other entry-to-mid-level IT job, and that's so far from the truth to do it effectively nowadays. IMO, to be good at infosec you need to live and breath the specific area you work in. a network engineer just can't do a 3-month job rotation with an infosec engineer and be any good at the job. plus during those 3 months he's trying to learn splunk you are effectively defenseless, and who the heck wants that!??!
The same can be (and I'm still trying to form an opinion on this) applied to security. I still don't see the whole 'Cyber skills shortage'. There are so many network/systems engineers who would make a great InfoSec professionals if they're given the chance, and I found them to be a lot more competent than some of the InfoSec pros who have only done InfoSec (but that's a topic for another day).
For what it's worth, my last 4 jobs I met 40% of the skills listed in the job description, and it took me about 6 weeks to get up to speed and get bored out of my mind. Those are not skills, they're just familiarity with a certain GUI or process or whatever
I've worked in a myriad of environments over the years and I can say very few teams are capable of consistently performing analysis at a high level, let alone doing it at scale. I'm also noticing a concerning trend involving the over-reliance on newer high-capability tooling, especially in the EDR space. Take away a team's EDR visibility, or Splunk, and more often than not you'll see an investigation come to a screeching halt. Fundamental disciplines such as data collection, evidence handling, and alternate methods of processing evidence seem to have fallen to the wayside.
This is problematic because the most meaningful breaches typically won't take place the way we want them to; on systems with perfect monitoring, healthy agents, and with evidence readily provided to us in real time. Especially in larger environments, we often have security-related issues because a system fell through the cracks and wasn't patched, or <insert security tool here> stopped working and we didn't know about it until it was too late. Being dynamic and resilient is very important in this respect, and we need to resist the urge to get comfortable with off-the-shelf solutions. But this isn't happening.
One last thing I'd like to add here: I also think we have a significant leadership skills gap in the industry. We have upper-management going to vendor-run security conferences and returning to the office with a bag full of buzzwords. These buzzwords get thrown around in a meeting or two, and somehow they end up driving policy and lead to frivolous spending. It's a huge problem. I believe the most complete solutions to security issues lie within, and in the data. I'd like to see more organizations look inward than reaching for the newest button to push.
but I think this more or less what I'm thinking....so you said the skills needed are 'data collection, critical thinking, evidence handling, being thorough,...etc' rather than specific tooling. That's exactly what I think too, and this the reason why I think experienced Network/System Engineers are perfect for this because they have most of this and some more
but come interview time, and they cyber experts jump on asking specific tool questions...I signaled out splunk because I've seen SO MANY cyber jobs that were nothing but Splunk button pushing - not that it's a small task, it's just nothing special in the sense that any capable engineer should pick this skill up.
I 100% agree that the problem is leadership and management, too much focus on off-the shelf tools and staff who have tools on their CV, rather than leveraging experienced IT folks who may not have the tools yet, but are more than capable of picking them up.
this depend on the job opening. A lot of people who are in cybersec that is already doing this day by day dont even have certs. the people who has certs usually have cissp. a lot of cissp are not event technical at all. they create policies. there is a big misconception that cissp guys are expected to know everything cybersec.
2) How hard do you think it is to get a candidate and give them time to get proficient with Splunk? How is it different than, say, Network engineering where you give a candidate time to get familiar with a certain network gear? Why is Splunk so hard to master? Is Splunk the problem?
you can deploy splunk at your home lab and learn from it. it will close the gaps. a lot of people just double click even with using splunk.
3) How crucial are those skills? Are you being unrealistic? How often do you have to do Memory Forensics (as an example) ? Do you think it's a transferable skill that a good experienced Systems/Network Engineer can pickup?
in production, they have a guy who deals with nessus, another guy or group who deals with risk assessment, pen testers are usually outsourced, forensics are dealt with 1 or 2 guys depending on how big the company is. separation of duties...
For your questions:
1. It depends but I tend to go less hardcore on the actual tool requirements as we're a smaller dept and I need more for a generalist. I use Nexpose, if someone knows how to use Nessus, great, if they use something else, also great, they can learn a different tool with the same concept.
2. Splunk is a thing, and people who want Splunk don't seem to one someone who is someone is good in ArcSight so it's going to be much more difficult to say "I want a splunk expert" vs "I want someone who understands log collection and correlation".
3. Anyone smart enough with a strong enough background can usually pickup anything, but do they need to? If you're expecting a network engineer to do that as one of their tasks, then I wouldn't expect that. But if you're expecting a good sysadmin to be able to learn security tasks and step into a security job, then why not? Most people transition into security, they aren't born there.
That Windows 2000 comment nearly made me spit out my coffee.
Are you able to share the skills that you are after? it would be helpful for us to see, and perhaps find a solution.
Good point, we all seem to agree that this is one part of the problem: asking for tons of skills and lawballing. This is not unique to Cybersecurity it's common in all aspects of IT.
Ultimately, in a perfect world, I'd like to see cybersecurity as a field go in a trade like fashion. You get in, but you're an apprentice tied to someone and learning the jobs skills. You're doing some of the menial tasks that we'd all rather not do, but at the same time getting bits and pieces of security. Steadily you rise up the ranks and eventually you're a full fledged cybersecurity person. Most cybersecurity shops I've worked in we've maintained our own systems, meaning system administration had to take place. Perfect starting point for a new cybersecurity grad to get technical skills while still being part of the team.
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
The general idea I tried to get to in my other post was that bigger concepts are more important to me than exact specifics, if I had a bigger group I'd be more concerned about the specifics as they could silo more. But if you've done X firewalls, and know firewall rules, and I use fortinet instead of cisco, well OK, you can probably learn that reasonably fast. I ended up hiring someone who was a higher level desktop support person but was also the go to guy for chasing down viruses and phishing issues. Because of that I was able to hand him some easier work for awhile and then setup training for the harder stuff.
Excellent points. I recently spoke with a couple IT recruiters we use from time to time, and they indicated in our small city that Cybersecurity positions were numerous, but the pay was pretty entry-level.
I've talked to more than a couple people wanting to get into IT from other careers, and they always indicate that they want to go right into cybersecurity. Yet they have no idea the vast knowledge and experience - nothing they currently have themselves since they don't even work in IT - that these type of roles really demand to be effective.
And years of experience in IT simply isn't enough. I work with a lot of people with years in the IT business, but they never go to school, take vendor training, Google to research an issue, etc. You have to be someone who continually is willing to learn and research, which is where an apprenticeship would help.
Our own IT security team has generally settled with newbies to IT for analysts, and boy it shows. Not that one or two of their techs weren't sharp, but they lacked much real IT experience in networking, or support - even desktop support. So, then we server admins find ourselves doing a lot of the footwork the cybersecurity personnel simply don't know how to do.
I'm interested in this because I've heard this argument before, so I'm trying to understand what's the cause of this problem and how it can be fixed
So where did the problem happen? Let's explore some possibilities
1) The job description was out of whack, it did not list "know how the systems connect, different subnets, etc., know enough of Windows domains to understand GPOs, patching cycles, reasonable AD, basic hardening"
2) The job description was accurate and listed the required skills but the pay was too low for some with an actual IT experience
3) Your company is in a small location and no one wants to relocate there
4) The basic IT skills you asked for not that basic, and assumed a lot of specific knowledge (Windows AD, GPO..that's a Windows admin, so maybe ask for a Windows Admin? with 2-5 yrs experience?)
I'm just trying to find where the problem is so we can find a solution
A potential solution I can think of....
1) Create an internal process where you allow existing IT staff to cross train in Security, and I'm talking real cross train not a day here or there shadowing, more like 6+ month secondment. It can be cheaper than recruiting a disappointing candidate.
2) Improve our job description, so if we're looking for specific Windows Administration skills, we actually list those skills specifically to avoid candidates misunderstanding the posting.
3) The money offered should be on par with the cost of living of the area and the supply/demand
3) If we fail at finding the right candidates, then the only option we're left with is to get 3rd party companies to do security work.
What else can we do? I'm just trying to think out loud here.....I would like to hear what ideas are there?
I really am not a fan of those programs, and I'd rather see them disappear. I'd rather candidates get basic Science degrees and learn critical thinking and other foundation knowledge, and work in IT for at least 5 years.. This may fix a lot of the issues that we see today in weak security teams.
1. Depends on the position. Your JD is a bit overly broad here. My currently promised a mid to entry level position in 2017, 2018 and again in 2019 with nowhere to even seat the position should I find the perfect candidate. As for skills? Skip the fresh graduate in anything, particularly a tool user with a security degree. Need at least five years of IT experience. Preferably someone coming from a development background rather than another infrastructure person like myself. I need an internal penetration testing and QA person who can go deeper into code than I can. Logs are easy to figure out, its the burn out factor that kills people not the skill. Pay range would be 90-105k. Chicago is expensive but also slowly being crushed by taxes and commute times, still people want to flock here and sit in traffic for hours a day.
As far as talent goes, I don't need another me. Can train anyone to read and develop logs. Boring but doable. Overall detection abilities are through the roof better than say 3-5 years ago (BAD, NBAD in particular). Tools including predictive analysis at the endpoint, network and entry points are providing more and better ACTIONABLE evidence than ever before. You can farm the actual log stuff out to a service cheaper than hiring someone to sit there and learn Spluink as well. The comparison to simply manipulating Splunk logs may soon be a nice double check but frankly, I see much of that primary log analysis going away in favor of having the machines alert on things in real time. SIEM will still be there in the background but more for comparison and compliance. You may be fighting an ever loosing battle with any SIEM technology. Hold on, we'll see. Not convinced either way but running out of fence time on this one.
2. Splunk is easy to pick up at first but requires real effort to master. Putting the cycles in to master the product is not in the cards for most people who work 8-5, go home and never pick up a book. Continuous learning is still a foreign concept to many.
3. Skills are as transferable as willing as the candidate is willing to learn. See number 2, rinse and repeat as needed or farm the tedious stuff out.
In general I see the lack of candidates as being formed by the lack of interest from the talent side. There is no real benefit for talented IT administrators, let alone developers to switch careers for more work and the same or less money than before. Add to that more headaches and more learning curve and you have a recipe for imbalance. Most see no upside other than its an additional challenge to master. Developer types here are paid more than security so my eyebrow rises when I do meet the occasional dev turned InfoSec person. The term 'Cyber' should be left to Government, politicians and schools. I have never meet a serious business person who says 'cyber' worth a conversation but that's just me.
Now, depending on which report you want to subscribe you will also see where determined intrusion attacks are down to 1:8 from 1:3 successful attempts in just the past 18 months. Considerable. That means that security is finally starting to win the war, one slow battle at a time. Given that one stat right there means we will need fewer InfoSec people investigating anything rather than more. The workload is or should be decreasing here.
The US department of labor calls for an additional need of 1.2 million more security people by 2020 - hogwash. Forester, Gartner both state the trend will decrease the number of analysts needed not grow. Unfortunately, these reports are recent and still behind paywalls. Frost and Sullivan recently published survey results of 2000 CISSPs painting a need, from their survey projections, some 2.2 million more security analysts by 2020. Which is great for the ISC(2) as they certify security analysts! Not buying that one either.
If we need 2.2 million more analysts in 2.5 years we will be seeing double digit increases in salary already and your lucky if your seeing anything above 3 percent industry wide. Three percent is still beating the average for all fields nationwide at 2.3 percent according to salary.com, et. al. Again, I don't see it happening. If we were it would be back on the cover of every trade rag going and we'd see the industry setting itself up for another Y2K debacle and no wants to go through that again.
Your next growth industries will be data science/analytics and cloud administration. Technical Security will be absorbed into the whole DevSecOps wave (its coming) or into a more policy and business risk posture. Once again the economics will determine the path the field will take in the future. Techs become to expensive, technology takes over and replaces analysts like forklifts once replaced porters and on and on it goes.
Continuous learning is the key.
- b/eads
As others have said, a decent cybersecurity person has probably worked years in the field and gradually specialized over time. So maybe the solution is to advertise for an experienced sys admin with an interest in security (don't even use the word "cybersecurity") and see what you get.
One beads is more than enough anywhere!
Spot on post though!!
(apparently I need to spread more rep around in order to give you more)
I understand what you're going for here, but my company doesn't determine what is realistic - the market does. This is part of the problem and companies need to get this, particularly for more senior positions.
Had the industry focused more on moving systems/network engineers and software engineers, I think the skills gap would be far smaller than it is today. Instead, companies trying to build out their security programs went after GRC types - folks that fit corporate culture and are more easily understood by the business. Surveys polling CISOs continue to show that senior cyber leadership believe their teams are lacking in skills. But this is what happens when you tie up your resources in administrators that don't have technical skills.
This shouldn't be construed as argument against GRC - but I think that their teams are often too large. Overreaction to regulatory compliance drives a lot of this, I think. As an example, I work for a large financial services firm. A few years ago, we had an audit finding that said we weren't doing enough to make sure our vendors use good security practices. The next day (or so it seemed) we had a team of folks to manage vendor oversight. The number of folks managing vendor questionnaires is now 3 times larger than the number of penetration testers we have.
I think training engineers can definitely help solve the problem, but you have to be able to identify good candidates (as with anything else) and come up with the resources to pay them. Not just any engineer is going to make a good candidate. Offensive security requires a mindset that many engineers just do not have (software engineers, in particular, have a hard time even thinking about making software do things it wasn't designed to do). But they have the years of experience that you just don't get by getting a degree or auditing for 10 years. Knowledge of the underlying technologies is so critical, but it takes time. I say hire more engineers.
Mate we all want more you in our companies
This good, developers are a dime a dozen. I'm aware that they don't all want to move security, but it's a start...
Hmm, that's interesting. I've seen some developers paid more, but I thought security pros are paid more on average...I could be wrong. but I noticed that there is a lot of interest in security, it's the new buzzword cool thing that everyone wants to get into...I'm wondering if it's the area I live in ,but even here in the forums, we get regular questions from people wanting to move to security, so there is interest. They all seem to note how difficult it is to get into security, go figure!
I noticed that data science/analytics & cloud administration is the present not the future. I predict the opposite, I think data analytics will become a utility/ ready to use button and cloud administration will keep on getting even simpler than it already is. I also noticed the DevSecOps is the present is as well, not the future. I think more tools will be ready to use in the future with little to no customisation/integration needed..or at least I hope so
excellent points as always beads !
No I actually agree with you here, GRC consultants should not be running security departments, I've seen it and I totally agree with you. GRC should be an integral part of a security function, but not the main part and definitely not the leadership.
Still see the overall increase in data science for the foreseeable future but as you already know predicting anything around IT is fraught with danger and littered with the bodies of dead predictions. It does keep things interesting though.
As far developers being paid more, yeah that's clear to see on salary.com, paycom.com, SHRM, etc. and every other comp table publisher I have recently reviewed. I just did this a couple of months ago sitting through the HR/Comp committee review. Security is a mixed bag overall. Major markets where most of security calls home is pretty much aligned with infrastructure (CCNA level) salaries. Maybe a premium but not much. A percent to perhaps three is right in that windows. Small markets I see senior positions going for 85k plus benefits. I know that farm equipment repair in the same area starts at 80k. That's an entry level mechanic job vs. A bachelor's and 5 years of IT experience. Double ouch! Hours are probably better as well.
The GRC thing won't calm down until GDPR is well understood and contained. Till then let people scream like it's Y2k all over again.
Yes, folks I often walk up to hornet's nests and kick it - hard. It's part of my negative charm.
- b/eads
I send in my CV and hear nothing ( keep in mind my last interview I was in the final 2 and of only 3 that went through to the second round, all good feedback, really positive ). I've got some entry level certs that I worked for and on my own dime whilst being a sysadmin for the last 18 years.
These companies never take the initative and say 'actually theres someone who interested in Infosec and must know a certain standard to be in his job for the last 10 years. We can always give him the experience and he might end up doing a good job for us for the next 10 years. If he does certs etc he must be trainable'
But no, they keep on advertising, keep missing possible good people then ***** about no ones available.
Interestingly the company above had my CV, sent a further questionaire ( so it has been read by a human and passed the HR filter ) with nothing CV related just whats your availability? expected salary ( I asked for about £1500 more than Im on now and that was towards the lower third of their pay banding ) and have heard nothing back after sending 2 weeks ago. When I asked the agency they said its still with the recruiting manager.
and they wonder why theres a gap??
100% with you here, the companies that complain about the shortage are usually inefficient at recruiting, bad at writing job description, have questionable HR activities, and odd technical questions too. I'm not making any of this up, I've been to so many interviews and been rejected a lot. I've been in 'security' for the last 4 yrs maybe, and I've seen the inefficiency.
That has always puzzled me. Where I'm from, tradies get paid a lot more too. Nothing against them, it's just that it takes a lot longer to get qualified to do a damn IT job sometimes that it makes you wonder what the heck. Topic for another day!