No STEM, No Problem: How to Close the Security Workforce Gap
Those who work well with others, learn quickly, and possess a proactive mindset toward the work can make great employees, even if their backgrounds aren't rooted in cybersecurity.
The shortage of skilled information security workers persists — and continues to grow — for the simple reason that demand continues to exceed supply. But organizations will have a greater supply of talent than they realize if they can change their approach to uncovering it.
The search for cybersecurity professionals traditionally begins and ends by looking for candidates with backgrounds in science, technology, engineering, and mathematics (STEM). But security operations centers (SOCs) and others looking to fill the infosec skills gap could broaden their search by looking for people with analytical, inquisitive minds and other talents that make for a good security analyst or other IT professional. They may well find the talent pool runs deeper than an HR-driven checklist can reveal.
Outside the Academic Envelope
The most recent annual Cybersecurity Workforce Study by (ISC)2 found a shortage of 2.8 million cybersecurity professionals around the world, with about 500,000 in the US alone. To meet the demand, the cyber workforce needs to grow globally by 145% and in the US by 62%, the report found. This is particularly concerning as cyberthreats continue to grow in number, variety, and severity.
Retention is also an issue. Using SOC analysts as an example, entry-level workers in an organization typically come in at Tier 1, with their main responsibilities centered around responding to alerts, checking logs, monitoring user activity and network events, and detecting attacks. Given that the average tenure of a SOC analyst is one to three years, many analysts only experience Tier 1 work in the industry as a whole before leaving due to burnout — just as they are gaining real competence in the field.
Filling the gap is one part of the solution; keeping talent on board is the other.
What Makes a Good Candidate?
An analyst certainly does have to understand computers and networking, as well as how information systems can be exploited, but what makes a good analyst is more than that. The core factors are the ability to be analytical and inquisitive and to come up with creative solutions, as well as to possess research skills and proper documentation and communication skills. Other talents that also come into play include technical writing ability, which often is overlooked. But those abilities don't necessarily surface during an initial screening process.
Finding good candidates to fill cybersecurity analyst positions or other jobs is a two-way street – abilities a SOC should be looking for are the same ones candidates should be exploring. A few of those factors:
Certification: As opposed to classroom work, certification gives candidates the opportunity to achieve specific skills. Hiring and SOC managers often look at certifications over higher education. It's one area where skills can be presented on a resume rather than in a portfolio. Outside of the standard certifications for a certain job role, certifications that show a diverse skillset are a great way for candidates to demonstrate their breadth of knowledge and adaptability, two important factors for hiring managers.
Practical experience: Candidates should have an efficient, succinct way of showing what they've done in the field, such as working on open source projects, to showcase how they’re contributing to the community at large. Networking (in a social sense) also can't be overstated. It can show an ability to work with others; sometimes who you know can be a big boost, just as in any industry.
Scripting ability: Candidates who want to get out of the basic Tier 1 and 2 work will benefit a lot from the ability to program in languages such as Python and Ruby, which are used extensively in cybersecurity.
'Industry Outsider' Talent
Organizations need to adapt their recruiting and hiring processes to increase their chances of attracting the people who would make good analysts, regardless of whether they have extensive experience in information technology or STEM. One approach is to look at candidates' portfolios, rather than resumes, as a measure of their skills. That approach is often utilized at smaller penetration-testing companies, for example, where candidates are assessed on what they can do.
In similar fashion, practical examinations of potential analysts should focus on more than just background and experience. Other things that can be used to screen or evaluate applicants include problem-solving tests, technical writing exercises, and tests designed where the candidate has to learn a new technical skill, use the skill to solve a problem, and document the attempt. Even if the attempt fails, understanding how well and in what way the candidate learns can provide insight about whether that person has the potential to make a good analyst, rather than only looking at candidates who can analyze a pcap file with tcpdump. Yes, this approach would add a level of complexity for HR departments and require greater involvement from the security operations center in the vetting process, but higher involvement is necessary anyway to unearth good candidates.
Sticking with our analyst example from earlier, great analysts can also come from other fields, such as police work, where an experienced investigator can catch up on the technical parts of the job if they already have a mental framework for investigation and analysis, along with the mental agility to reach good conclusions on incomplete evidence.
Ultimately, the most successful people in cybersecurity understand that it's a very complex field with a lot to keep track of, from new attacks and attackers to new tactics and avenues of exploitation. Those who work well with others, learn quickly, and possess a proactive mindset toward the work can make great employees, even when they come from nontraditional backgrounds. It's a constant learning experience and can't be handled alone — it must be done as a community. This should inform our hiring choices as well.
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."
About the Author
You May Also Like