There has been a lot of news recently about the cybersecurity skills shortage. While there is a lot to be concerned about with all of the news about insecure devices and unsecured networks, I am confident that the shortage alarms are more headline-grabbing sensationalism than actual fact. In this two-part article, I will explore the problem of the cyber security skills gap and what happens when you are promoted out of your hands-on position to one of management. The biggest problem with a blanket statement about a shortage in a particular industry is that it fails to focus on the specific unfulfilled skill rather than the particular deficient area. Generalizations usually suffer these inaccuracies. Worse yet, it minimizes the vastness of the profession. Imagine if the headlines spoke of a shortage of attorneys. (Keep your attorney jokes to a minimum, please). Would a general headline like that ever pass a responsible editor’s desk without you wondering whether they mean criminal lawyers, real estate lawyers, or tax lawyers? The InfoSec world has many different positions, ranging from Pen Testers, Analysts, Security Administrators, Security Auditors, Researchers, Programmers, Social Engineers, Consultants, and those on management levels. One need not look further than the RSA conference to meet a host of folks who work in separate and distinct areas of Information Security. When the headlines speak of the Cyber-security talent shortage, what is it that these cyber-starved industries are seeking? Sadly, a review of job postings offers no true help. Many of the Information Security job descriptions contain a list of Everything-A-Hiring-Manager-Ever-Heard-About-Cyber. Truly unrealistic goals; a time-waster for both the interviewer and the unfortunate candidate who has to explain that a programmer may not necessarily be the same person to author an incident response policy. Can this problem be solved? Yes, but are we as an industry willing to create the unified effort it will take to make it happen? First, can we be as clear as possible about our skills and qualifications so we do not give false impressions? There was a time when recruiters would advise applicants to add every piece of technology they ever touched to a resume. This does not help, and there is the distinct peril of a reputation-damaging interview or landing a job for which one is unqualified. As a comparison, it is a rare event that a brain surgeon would also carry the title of podiatrist. We should use the same integrity on our resumes so that there becomes an understanding of the clear differences of disciplines in our field. Another way to solve the perceived talent shortage perception is to maintain the integrity to walk away from job descriptions that are not a “good fit,” as well as interviews where it becomes evident that the real job is clearly not what was advertised. Having the integrity to say “no” is a valuable skill. This may all seem counter-productive: If we don’t pad our resumes and we walk away from jobs for which we are unqualified, doesn’t that add to the apparent skills-gap problem? Not at all; in fact, adding integrity could serve to elevate the entire profession. Perhaps then we will see the broad generalizations about the profession diminish towards a better understanding of the multi-faceted discipline that has been created by the incredible advancements in technology. In part two of this series, we will look at the progression from individual contributor to manager and some of the unique challenges created there. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
