There is much consternation and many dismal proclamations from think tanks all the way to Twitter eggs decrying the shortage of skilled information security workers. The skills gap does exist, but it isn’t a singular chasm. It’s a series of rifts and valleys, each with different characteristics. Beyond acknowledging the gap, we need to survey its topography if we are to create a plan to close it. There is definitely a shortage of talent in many areas of information security. Defined roles for ICS and SCADA security professionals are an emerging field. Highly skilled malware reverse engineers are a sought-after commodity. Cloud Security Architects that can secure vastly expanding micro-services and APIs are in short supply. Top tier penetration testers that can build testing tools are rare. There is no doubt this type of skill is uncommon. The skills gap was not created by just a lack of proficient security professionals. A growing acknowledgment that all systems require some level of security controls and an insatiable desire for everything in the world to become software with an IP created a tsunami of new security work. The scope of technologies that need review is growing at an exponential rate. Testing these systems often requires highly skilled security professionals at a volume we don’t have. There are many ways to gain infosec skills: start on a helpdesk, move to system engineering or development, and learn to solve the problems businesses face using technology. This teaches the struggle of balancing business needs, new technologies and legacy systems with the onslaught of new security threats. The value of this experience cannot be overstated. The best way to become an information security professional is to build experience in other IT roles, but it’s not the only way. We can’t rely on just career professionals; we also need new blood in truly entry-level roles. To close the skills gap, we need to develop not only entry-level jobs in information security, but we also need to engage IT pros later in their career looking to move into information security. We need to expand our ideas around what entry-level means in infosec.
Let’s Define Infosec and Entry Level
The major argument around the skills gap seems to be the idea that information security isn’t an entry-level job. This cannot be denied for some roles. However, information security can’t be just the incredibly complex non-standard work like penetration testing and malware reverse engineering. We need to look at what entry-level means. This could be a college student or someone with significant IT experience looking to move to information security. The fundamental security hygiene needed to keep an organization secure requires massive effort that can be fulfilled by people on both ends of the career spectrum. When medical students graduate, they go into a residency program. During residency, they treat patients suffering from all types of injury. They do this under the guidance of seasoned doctors. If medical students can work where human life is on the line with just a degree and on-the-job guidance, we can find a way to grow people within the field of information security. To continue the medical comparison, surgeons don’t sterilize tools in the operating room. Surgeons rely on clean instruments to prevent infection. A technician trained to properly clean equipment performs this task. These technicians work in the medical field. We can round out this medical comparison for IT professionals looking to move into information security. Nurses often become nurse practitioners. They take their skills in the medical field and apply it to the next role. We can create security roles that increase positive outcomes without having decades of experience in information security. The key here is basic understanding of concepts and technologies combined with well-defined processes executed with proper training. It would be difficult to take a skilled physical therapist and place them in a SOC analyzing packets, evaluating logs, or reviewing patching reports. The therapist won’t know much about IT systems, networks, or what logs mean at a base level. This is the argument that gets conflated regarding entry-level security roles. No one is advocating that anyone at any skill level can enter into any information security role. Allowing a college student fresh out of school with no real experience to run a solo penetration test on a production system would be flawed at best and disastrous at worst. Expecting someone who works as a Windows system administrator to know everything about Linux permissions is unrealistic. However, both types of workers can be valuable when trying to increase the security of an environment. Someone with appropriate training using a well-defined process can have a major positive impact on security in an organization. The entry-level college student can bring a new viewpoint to old security tasks, while the mature IT pro understands issues the college student has never seen. Expanding the spectrum of “entry-level security roles” to people at both ends of their career will close the skills gap.
Not Everyone can or should be a Rock Star
This is the crux of the skills gap problem: we continue to believe due to the incredible complexity of some security challenges that the only people who can solve these issues are the “best of the best.” The truth of the matter is most breaches occur because of phishing emails, misconfiguration, password reuse and a lack of patching. We cannot bemoan a skills shortage and also complain that we aren’t covering fundamentals in our security programs. Your top talent can handle reviewing hardening guidelines on systems, patching and evaluating phishing emails… but that is a waste of their skill. If we observe the skills gap where the roles that could prevent breaches exist, you have an eager work force clamoring to get into the field of information security. We can’t solve the woes of infosec on the backs of seasoned security generalists at the peak of their career. There will never be enough of them. Even healthcare outcomes aren’t determined by doctors. Nurses, x-ray technicians, therapists, and a whole host of professionals contribute to successful health outcomes without decades of medical school and professional experience. The complex problems can be saved for the doctors while others handle the standard tasks. Information security can be the same way.
The Skills Gap is Made Wider by a Lack of Documentation
If your IT processes don’t include good documentation, you have two very likely outcomes: a skilled security team will be overwhelmed to the point of burnout, and a good red team will run through your environment like it’s made of wet tissue paper. Companies can, and will, spend vast sums of money trying to bolt security onto bad IT process only to see it continuously fail. The scope of remediation will grow at an almost geometric rate as “new” systems with issues are discovered. These same companies will blame a security skills gap because they believe only an infosec super hero could have saved them. If you have good documentation and controls around IT processes, having someone new to security work on well-defined security processes under the guidance of a senior team member can be relatively risk-free. Define your processes correctly and create fail-safes that limit the damage team members moving into information security roles can do. Not only can you offload some of the tedious work from your top talent, but you can also grow the eager new talent looking to become information security professionals.
Don’t like the Skills Gap… Close it.
If you are a hiring manager complaining about a skills gap and aren’t actively championing an intern program or cross department growth, you are part of the problem. Every security role cannot be an entry-level junior position requiring a CISSP, 40 years experience building scripts in Python, at least two accepted CVEs, and a Masters degree. Nor should you ignore other qualified IT workers just because they’ve never worked in “security.” Imagine the size of the skills gap in medicine if only doctors could take blood, do x-rays, maintain MRI machines and dispense medicine. If your environment is so complex that it can’t have any processes defined so new team members can perform them, no top-tier security ninja in the world can save you from a breach. Start by figuring out where your fundamental gaps are and define projects interns, junior staff and cross-departmental partners can work on. Most companies complaining of a skills gap in security probably don’t have an accurate or complete inventory of their IT systems. This is the kind of grunt work anyone with IT knowledge can assist with that will expose them to the importance of asset management in security and begin growing a workforce that will close the skills gap. If you want to get past a gap, start building a bridge.
Mind the Gap
We can close the skills gap by creating a path for entry-level roles. These roles can be filled by people at the beginning of their careers or later when they are looking for a new challenge working within information security. We must offload commoditized security tasks from our most overworked resources to eager new talent. Standardize roles and insulate them so we aren’t handing a child a running chainsaw and hoping for the best. Stop trying to hire security unicorns when a draft horse can do the job. We need to treat the field of information security as a conglomerate of professionals that contribute to improving the overall security of organizations. We can grow professionals without everyone being at the top of their career. If we do this, we can reduce the skills gap from a canyon to a ravine within a generation.
About the Author: Ean Meyer is an information security professional working in Central Florida. Ean’s current focus areas are PCI, SOX, Intrusion Detection and Prevent Systems, Information Security Program Management, Penetration Testing, and Social Engineering/User Awareness Training. Ean has a BS in Information Security and an AS in Computer Network Systems. Ean also holds a CISSP certification. He can be found at: https://www.eanmeyer.com Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
