The cyber-security industry has been growing at a dizzying speed during the past decade, creating employment and business opportunities. However, the supply of manpower has not caught up with the growth, leading to a shortage of highly-skilled cyber-security professionals. The shortfall is expected to reach 3.5 million by 2021, reported the New York Times.
However, this situation cannot be termed as talent shortage, said James Lyne, CTO for SANS Institute.
"This isn't a talent shortage, but there's a limited number of practitioners making it in the industry. There are people who are incredibly talented, have the right aptitude to succeed, who don't know that they're any good," Lyne told SC Media UK, at the sidelines of CyberThreat 2019 in London.
"What we're seeing is that there are multiple paths to cyber-security for different roles. And I think that's great," he said.
Tom Van de Wiele, principal security consultant, F-Secure, told SC Media UK in October that the talent shortage in cyber-security is due to the lack of structured, university-level education in the domain. Lyne agrees.
"It has been a challenge for the traditional approach to engineering, IT and networking to keep up with extremely fast paced velocity of cyber-security change. You remember this with engineers. A number of years back engineers were going through the programme coming out the other side and being out of date by the time they were finishing. And that is a real challenge in a domain like this, which is changing so fast, so constantly," he explained.
"There are people who don't go to university who have hands on experience who goes straight to work and a very successful. There are people that go through academic study, learn fantastic skills, comes out and land a job. It's about picking the right path for you. And how you learn."
The one thing that's consistent through all of it is the importance of people being able to prove and demonstrate they've got the right skills to do the job, he asserted. "And it's refreshing to see industry starting to respond to the fact that there are multiple ways to prove that. It doesn't have to be a degree."
Scott Helme, security researcher and trainer, agrees. A degree holder in software engineering, Helme’s journey in cyber-security started "really as a hobby", he told SC Media UK. However, he concedes that his academic background in coding helped him take big strides in the industry.
"I spent three years at university doing a degree in software engineering, and I didn't want to be a software engineer the end of it. However, I think my ability to code is phenomenally helpful. I love knowing that I can fall back on it," he said.
It was during his stint as a quality assurance executive for a security software company when Helme developed a serious interest in security. He started researching security during his spare time. He recalls that the experience of typing in a sequence of characters to make an application explode was "really cool".
"If I want to do something or a task, I know that I can whip up some code, build a small tool or a quick little script. If I need to read some code to understand something that's happening, obviously, my ability to write code allows me to read code and in different languages and still get to grips with it," Helme explained.
Lyne agrees that academic training comes with certain entry barrier such as minimum entrance grades, which restricts a lot of talented people from taking up infosec careers. TalkTalk hacker Daniel Kelley took to hacking during his school days after he failed to obtain the cut-off GCSE grades to join a computer course at his local college.
"I think it depends on the type of person and the type of study," said Lyne.
"I know some forensics practitioners that really learn a great structure about how to think about their work, from academic studies. I know cryptographers who are world class who would not be the cryptographers that they are without academic study. They needed their mathematical foundations, their due process, they need academic journals where they challenge each other and try and prove the math wrong."
There are other areas where this approach does not work so well, he noted.
"Some of the best defensive people I know, didn't learn that in an academic institution. They sat in a lab for tens of thousands of hours breaking stuff, they just tried and tried and find new ways."
Filtering people who aspire to be cyber-professionals through sieves such as academic qualifications poses the risk of losing out on diversity, he said.
The ultimate test of hiring people should focus on their skills, wich they can prove by writing a tool, taking industry tests, or actually doing web application penetration testing. Organisations may be missing out on talented people otherwise, he said.
And talent can come from anywhere. SANS Institute and the Department for Digital, Culture, Media and Sport, UK, in September launched the third edition of Cyber Discovery, a project to identify elite cyber-talent and help close the UK's cyber-security skills gap by inspiring teenagers to pursue a career in the industry.
"Some of the kids this programme has found are amazing," Lyne said. "One of them is 15 years old. He's finding flaws in real world applications in bug bounties, reporting them and getting paid for them. He's doing industry-grade work, making the world more secure as a result of this programme, where he wouldn't have ended up in this industry otherwise. That's such a powerful statement and it is terrifying. I wish I was as good as him as 15!"
Speaking of bug bounties, Lyne considers them very effective when they're done well.
"Some organisations embrace them with arms wide open and get a lot of value from engaging the security research community and fairly paying people for their work," he said.
"It can't solve the entire skills crisis. But I believe it's a powerful part of how our industry has matured. I'm very positive about it."
The crucial factor that drives talent to the industry is deep and keen interest in security, asserted Helme.
"The people that I see now are passionate about security. They want to make a difference, they want to do things," he said.