The CyberSecurity Skillsgap we all hear

Might not be the perfect section for this discussion but i've been reading for a very long time about the "skills gap" we have in Cyber and everyone always talks about the shortage and how getting more woman into STEM fields, modifying our college programs, influencing children while they're young. But what specific technical skills do we need and/or what soft skills need to be brought in as well. I've done some initial research into this and have gotten some information about specific technologies i.e Cloud, Big Data, Data scientist, etc..but trying to dig deeper into specifics that people interested could do to help themselves ease into the field or what the field desperately needs to fill in general

Looking to see what you guys know and help a paper i'm trying to write

Thanks!

Find more posts tagged with

Skills gap

specific skills needed in cyber

cyber security skills gap

technical skills needed

Comments

LionelTeo

Giac Security Expert #199 and 9 years of experience in blue team/SOC environment here. You might be surprised to hear this - no technical skill is actually needed for getting entry career in Cyber Security. Here is why I said so, cause I personally had worked and trained many new graduates without any experience into cybersecurity to be able to handle incident response and actually work on various malware in incidents. One of the analysts I had trained successfully even had a background of bachelor in mathematics, but could even deobfuscate various malscripts to a great extent and even show professional with many years of experience on how it was done. I am not the first person who would think this way, as another person named Rik Ferguson had mentioned the same thing in an article link found here: https://www.zdnet.com/article/there-isnt-a-cybersecurity-skills-gap-rik-ferguson/

Of course, some of you reading this may think, then why is there even a perception of a Cyber "skill gaps" here after what I had mentioned. The reason is actually quite simple, most firms are seeking Cyber Security professionals with various type of technical skillsets that can fit into their operations, but there is not enough cybersecurity environment that can build out that kind of skillsets from applicants. However, most firms are overlooking the fundamental aspect that it is actually quality of character traits that enable the analyst to reach this sought after skillset. Therefore, the answer lies in actually knowing the kind of character traits that can make a great analyst, and not the technical skills.

Using malware analysis as an example, you can send an analyst to SANS reverse-engineering malware course and even had him to obtain the GREM certificate. However, does that mean that the analyst is now able to reverse malware? Unfortunately, the answer is no if the character traits do not exist. Contrary, someone with that necessary character traits is able to become a great reverse engineer even without needing to attend the course (the course could, however, help to reinforce certain concepts).

Cyber Security is actually all about solving problems in various situations, which is why problem-solving is a critical trait. You can have a security course that teaches one thing about malware, and the attacker is going to get more creative and came up with better ways to invalidate the current techniques used. Therefore, a good analysts is one who would find multiple ways to work with the malware, either by finding new techniques or make modifications to existing techniques. The same concept actually applies to penetration testing with the whole try the harder thing like OSCP, it is all about trying different ways to break in an organization through various experimentation and creative thought process.

The second character trait is actually knowing the right approach to ask questions. As no single cybersecurity professional is able to handle any situations on their own, which is why it is necessary for a security professional to know how to reach out to each other for help when required. The best infosec teams is a team which is capable of covering each other weakness, through working together via discussions. It is also essential for the team members to know how to ask when they are struggling, especially junior members should be reaching out to senior members of the team during critical or unsure situations.

So how can an interviewer work out on identifying candidates with these two traits? Elon Musk pretty much got the problem-solving phase covered. It is regarding asking about a candidate the most difficult problem in his career and listening to how deep the candidate can go into. You can reach up in details here: https://www.msn.com/en-ca/money/topstories/elon-musk-asks-this-simple-interview-question-to-tell-when-an-applicant-is-lying/ar-AAAvckd

The second traits sort of come from one of Steve Jobs quotes, “It doesn't make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.” Being able to work with each other is actually about approaching each other with the right questions to bring up a discussion. You can actually learn a lot on someone character based on how they asked questions instead of what kind of answers the provided. A good scenario leading the candidate to answer "what sort of questions are being asked during his engagement with clients/team members". By listening carefully to how the candidates asked their questions, it can greatly help the interviewer to identify this trait.

Once a candidate with these two traits had been identified, a great onboarding training phase will bring out the skillset from these candidates. I personally prepared my training program around giving various type of scenarios and have them spend a week digging through. It can be a linux commands to parse raw logs, malscripts, maldocs, malpdfs or actual logs from past incidents. The idea here is to actually have them to work on it mostly independently until they reach the gold standard of the work required. This is how I get fresh graduates to integrate with the team.

Danielm7

LionelTeo said:
I personally had worked and trained many new graduates without any experience into cybersecurity to be able to handle incident response and actually work on various malware in incidents

Interesting post. I think part of the issue though is the actual training part. Most companies don't have a GSE available to train new people without any previous experience. For example, I recently hired a new security engineer, he doesn't have a ton of experience but he interviewed well and has done some of the things we need. HR liked him personally but was really concerned that he hadn't worked with the exact tools we use (but has used some similar ones). I don't have a huge team so I can't pull a person off almost full time to just work with the new person, little bits here and there, not an overly generous training policy so getting up to speed fully is going to take longer and put more on of a strain on the rest of the team than if we found someone who could 100% hit the ground running on everything. But, with all the different types of tools in security it would be next to impossible find someone with the exact combination of everything. Security is so wide, so many people have jobs that are made up of bits of many different areas, and many companies want people who can fill specific roles that are made up of all those different areas. Finding people to fit that mold usually isn't easy.

The job requirement listed a bunch of different tool types and skills, think generalist sort of background with a wide grasp of different security specific skills. I interviewed someone with the security engineer title already, and had been one for years, all they did was run Nessus scans. It would be easy to say "pfft this shortage is so fake! I'm a 5+ year security engineer and I can't even get a job!"

In comparison to something that might be more standardized, like networking. New Sr network engineer was hired a few months ago. Lots of Cisco experience, we're a mostly Cisco shop, or what he'd be handling anyway. First day someone sits down, gives him a huge network diagram, talks about the different layouts and he's pretty much immediately useful to that team suggesting changes and handling config changes.

LionelTeo

I didn't have a GSE back then and neither I was really teaching them anything, just dropping hints along the way if they ever get stuck. On the contrary, it is those fresh graduates that ended up training me

... One guy, who is a fresh graduate showed me on how to use VBA debugger to deobfuscate maldocs, which isn't even taught in SANS reverse malware engineering course. He also ended up desobfucating a lot malware later than me during the time was my colleague. (I think I can end up writing a long story on of his achievements, literally). The other guy uncover using rtfdump to analyze rtf malware documents. I only had for few tricks that anyone within the infosec should easily know, maybe better at analysing PCAP and that's really just about it.

You actually don't need a super technical person once you had a good onboard training program going. What I had actually done is just give them past incidents malware and logs that the team had it figured and give them plenty of time to work it out. Whenever they came back with a conclusion, I just let them know that there is more to uncover if they havent cover everything. In the process of them constantly working on the given scenarios, it helps to mould their problem-solving and analytical skill to what they are today. If they ever find anything new tricks that such as using the VBA debugger, I will just let them contribute back to the KB articles. The result of these is a really strong team capable of helping each other to solves and overcome any challenging incident. Half of the team may consist of fresh graduates, but they are the most talented pool of people that I had ever worked with.

Z0sickx

Lets of good information here from you Gentlemen! was expecting a different conversation but sounds like a lot of it has to do with the soft skills of being able to get the right talented folks who are curious and genuinely have that intrinsic value

COBOL_DOS_ERA

@LionelTeo

"You actually don't need a super technical person once you had a good onboard training program going. What I had actually done is just give them past incidents malware and logs that the team had it figured and give them plenty of time to work it out. Whenever they came back with a conclusion, I just let them know that there is more to uncover if they haven't covered everything. In the process of them constantly working on the given scenarios, it helps to mold their problem-solving and analytical skill to what they are today."

I couldn't agree more with you. A good onboarding training program could solve so many problems. I personally believe given chances anyone with an appetite to learn, would do good in any cybersecurity position.

stryder144

Here is my unqualified observation: there is no skills gap, per se. There is, however, a unicorn gap. Hiring managers want a GSE/CISSP with 10 years experience in Windows 10, a PhD, the ability to work nonstop without breaks 24/7, and all for less than a cup of coffee a day (in Zimbabwe currency). A true unicorn.

devils_haircut

^^ Totally agree with stryder144

I also feel that, even though it's changed a bit in the past decade, there is still a hang-up with HR departments and recruiters insisting on undergraduate and even graduate-level education for these fields. Some of the most "techy" people I know don't have degrees, and even I only have a lowly A.A.S. I'm a bigger fan of practical interviews to sift through candidates, but I understand that can be time-consuming.

Also, if there is such a shortage of talent, why aren't salaries reflecting that?

Goteki54

I believe the problem lies more so with employers. They mostly want a candidate to already have years of experience in cybersecurity, but that's a double edged sword approach. In order for there to be a sustainable talent pool of experienced candidates, there first has to be a constant flow of inexperience candidates in order to gain the experience in order to fulfill the experienced talent demand. Anyone with experience in Cyber security or any other field of I.T at some point started at a newbie.

Danielm7

Goteki54 said:

I believe the problem lies more so with employers. They mostly want a candidate to already have years of experience in cybersecurity, but that's a double edged sword approach. In order for there to be a sustainable talent pool of experienced candidates, there first has to be a constant flow of inexperience candidates in order to gain the experience in order to fulfill the experienced talent demand. Anyone with experience in Cyber security or any other field of I.T at some point started at a newbie.

They want a candidate with years of experience in SOMETHING related. It rarely has to be exactly the same thing, but if you can't prove you can already do at least most of the tasks, then why exactly should they hire you? A general systems or networking type JOAT who has done lots of "security tasks" with lots of passion, yes, come talk to me. I've hired people just like that, heck I was one of those people!

But, just interest, with nothing to back it up, it's hard to say "as a business it's our job to hire all these people and train them so they can have experience and be part of the industry!" Because really, how many businesses are going to say that? It's been said a million times here but for most areas of security, it shouldn't be your first IT job, there is an expected understanding of lots different things that you don't typically have if you just got to school and come out and expect to walk right into a security role.

I'll give a random example from a place I worked. A systems or network engineer, always came in with years of experience, could hit the ground running and was paid somewhere in the 75-90K range. A security engineer was paid in the 90-100+ range. If the expectation is that the systems guy walks in with 5+ years directly related experience, solid MS server stack skills, AD/DNS/Exchange/etc, some virtualization, some linux and at least a decent understanding of storage systems. Meanwhile I'm getting people applying for security engineer roles and asking 100K+ with literally a BS and an internship where they took tier 1 tickets and escalated them up and no literally none of the tools or things I need them to know. This is a medium to above average cost of living area too, not NYC or the Bay Area.

I think in some cases the expectation is wrong on the candidate's side as well. I can't go back to management and say "OK well we have a budget up to 110K, this person seems nice, has a home lab but literally zero practical experience, can I give them 50, then spend all year training them and hope they don't leave for the first offer for 50% higher?"

jeremywatts2005

Good relevant topic. I believe this to be a myth we have no shortage of individuals and not skills gap. We have people inside of companies wanting to move into cyber roles who have mad skills. Problem is companies are not developing those individuals to move into those roles. They individuals have the skills but need training to translate those skills into cyber. It actually would be a lower cost solution to develop that talent and move lower tiered individuals up into the roles they are leaving. Management has a clear problem in developing succession plans with their staff. They should be identifying those individuals who want to move up and assist them in doing so. Second the issue is training in companies. A lot of focus is placed on tuition assistance which is great for some but not all. Instead a focus need to be moved to training overall. That includes conferences, certifications and paid lab time to build those employees and the employee shouldn't be fronting the cost asking for reimbursement which disincentives some to do training because of up front costs.

Third their need to be monetary incentives to move up whether that is a change in salary, benefits or whatever a lot of companies give they whole we can only pay 5% above the role you are in currently. Heard that one over and over from numerous companies. This is poor HR because it incentive's the company to try and bring people in as far below the mid point as possible in hopes that if the employee ever moves up then they will remain below the midpoint. What the company gets is an employee willing to accept the role for a time and then leave. Pay someone competitively and not base their new salary off their old but instead pay them based on their increased worth.

Fourth companies who cannot develop in house need to become more competitive in the market when it comes to salary and benefits. The whole we do not negotiate take it or leave it makes it more difficult to hire employees. Very few companies will negotiate salary they have bands and will not allow movement beyond the midpoint and trying to determine that midpoint is nearly impossible to the candidate. I have seen numerous companies offer the same compensation bands over and over stating they are trying to ensure income equality in the workplace. Why would I want to go to work for nearly the same pay at another company. I wouldn't want to do that and most people won't. So where does this all lead us the excuse we have a cyber shortage no one is available. When in actuality there is talent wanting to move up and move into these positions. The whole system is just broke right now. We have no defined titles for positions which further complicates the process and we have non technical HR people trying to recruit technical people. We also have non technical people making decisions regarding salary and compensation for a market they have little to no experience with.

Z0sickx

Wow did not expect these long thought out responses from multiple parties! Being in Government Contracting the game does change, as there is no lets higher someone with the potential talent to build them up, customers want someone with most of the know how and spend a few weeks to a month tops getting up to speed. The only exception to this is with Jr positions, its seems getting someone with just the right talent to build upon is more then enough. You guys are right a lot of things are techable if I.E learning to do a Nessus scan/ analyzing the results it doesn't take brain surgeon to fully understand. Flipping the script an understanding whats going on the backend and how to install/troubleshoot enterprise application tools is an art and science that requires a certain perseverance and try harder when you have a tough problem on hand

MalwareMike

I thought you guys would enjoy this article: https://techcrunch.com/2019/01/27/too-few-cybersecurity-professionals-is-a-gigantic-problem-for-2019/