People who need people aren’t the luckiest people in the world, at least not in the cyber-security world where a skills shortage yawns wider each year and the chances of finding qualified job candidates are forcing hiring organisations to take proactive – and creative – approaches and widen their searches, possibly stopping just short of dispatching job postings on milk carton and lamp posts.
The increasing use of IoT technology and stricter regulations on the horizon it’s only a matter of time before companies need to take a more proactive approach to address these shortcomings.
A recent global survey conducted by ESG on IT professionals found that 53 percent of organisations have reported a problematic shortage of cyber-security skills between 2018 and 2019. This number is an uptick from 51 percent that reported shortages between 2017 and 2018 and 45 percent who reported the same between 2016 and 2017.
"The demand for cyber-security professionals has exploded in the last decade," says Nimmy Reichenberg, CMO at Siemplify. "Many companies that never had a security team or a CISO now want full security teams in place. Existing security teams also need additional staff since security has become a much more complex business with more risks to address, more regulations to adhere too, more things to secure (think cloud, mobile and IoT) and more tools to operationalise to do it all."
To combat these challenges, some companies have hired IT professionals and set up cyber-security training programs to provide some relief however, there is no silver bullet to solve the underlining shortage of talent. It’s important for companies to realise that security professionals can’t be created overnight and organisations should jump at opportunities to automate repetitive tasks to make their already scarce teams more productive.
"The market is slowly reacting, and more students are taking up cyber-security, more IT folks are specialising in security, etc.," Reichenberg says. "But this does not change the fact that to become a security professional with 10 years of experience takes…well…10 years."
Reichenberg explains the skills shortage is most prevalent in the SOC (security operations center), where the increase in the number of alerts requiring action far outpaces an organisation’s ability to hire skilled analysts and that automation can help alleviate "alert fatigue."
When searching for talent to help fill these positions hiring operations may want to be careful to not overlook good candidates due to miscommunication or focusing too much on technical skills as opposed to other less obvious skill sets that may prove useful.
"This isn’t something I’ve seen with startups, but is definitely a trap that larger companies or government organisations can fall into," Awake Security Principal Threat Researcher David Pearson says. "Just by looking at startups, these larger organisations can see that a person’s degree or level of schooling shouldn’t be such a big focus. Again, it goes back to that key characteristic of someone who has the drive and curiosity for the job.
He went on to say that the level of their degree, and even the focus of their degree, shouldn’t be a major barrier to considering a candidate.
Carmen Marsh, CEO and managing partner at Inteligenca Inc., notes that while mathematical and technical aptitude and skills are often the most desired traits in the "perfect cyber-security professionals," AI will replace some of the computing and high-speed tasks now done by humans now, so what is left are the soft skills.
"Even more so we need the creative side of humans," Marsh says. "If you are looking to raise a new generation of cyber-professionals, find someone who besides having an analytical mind, also is creative and has an abundance of emotional intelligence, because that goes deeper than just what our logical part of mind does when we are doing the reasoning.
Marsh says that people with a high EQ can see different dimensions of everything including people and have a better understanding of what the "other side" thinks and feels, which is different from what our cognitive ability gives us.
A creative cyber-security professional may also have a different demeanor than one might traditionally expect in the role, one that may initially come off as shocking or atypical, but researchers warn certain exceptions to these norms may have the most potential.
"Security talent practitioners, by nature, are introverts and struggle with verbal communications skills," Epsilon Senior Vice President and CISO Jeff Schilling says. "When you find an extrovert who also has security talent, they are a future CISO. 90 percent of my job is communications and connecting ‘human APIs.’"
Schilling explains that when a young security analyst talks too much, for example, rather than being annoyed, senior researchers should nurture that rare attribute and set them up for management growth opportunities.
In addition, those looking to hire new talent should be on the lookout for persistent candidates. Offensive Security President Jim O’Gorman says refusing to give up and knowledge of how to work beyond the tools they have are very important.
"Software is designed to do a certain set of things, so testing them for vulnerabilities involves trying to make them do things they weren’t designed to do," O’Gorman says. "This is by definition difficult, so it requires a high level of determination."
He went on to say that all the technical skills in the world don’t mean much if you don’t have this basic personality trait. Experts agree, Pearson says, talent scouts should also be on the lookout for those with a knack for solving puzzles.
"It doesn’t have to necessarily be word-based, visual, numeric or any other particular type of puzzle, as long as a person has that desire to take-on and conquer a challenge," Pearson says. "I can’t really say that I’ve met anyone that’s successful in cyber-security who doesn’t love puzzles."
Because this skillset is also valuable for a number of other fields beyond the cyber-security landscape, people in law or policy related fields, data science, or physical security functions like law enforcement often have the problem-solving skills that will translate well to cyber-security, he adds.
In addition, having that broader skill set and an ability to look at and solve problems differently can ultimately be a huge benefit for an overall team.
"We need to revamp our jobs requirements, grow new talent by letting them guide a way of thinking outside of the box, empower women and diversity to bring those new fresh ways of thinking that will help us break up our traditional group mind-set currently existing in cyber-security," Marsh says "We need a true transformation on every level in order to attract new talent, create a strong versatile workforce and find a way to retain them by empowering them."
Transformation at multiple levels is hard but it must happen and just because someone has been doing something a certain way forever, doesn’t mean that that is the best way because everything changes, Marsh adds.
Companies have to get proactive in order to actively hunt for vulnerabilities and identify them before they are exploited and to do these companies need properly trained people, O’Gorman says.
"The biggest mistake companies are making is looking for technology rather than people," O’Gorman says. "There is this forlorn hope that some vendor is just going to come up with a silver bullet solution that will allow organisations to buy a product and make all their security issues go away."
O’Gorman adds that no matter how good a security solution is, waiting for an alert to go off is never going to be an effective security strategy.
Cyber-security teams looking for candidates who are emotionally intelligent, puzzle loving, extroverted or a combination of these traits may already have staff with these traits on their existing IT teams and it’s important for companies to acknowledge and offer opportunities to train existing staff and give them room to grow whenever possible.
When agencies need to hire more cyber-security talent, Reichenberg recommends they look to hire former military veterans looking for civilian careers.
"Many also hold a higher standard/work ethic due to the likelihood of having previous security credentials obtained in order to do their military jobs," Reichenberg says. "They’re also great under pressure." The CISSP directory or (ISC)² membership directory is also a good place to seek out talent as well as IT organizations and forums.
Ofer Schreiber, partner at YL Ventures, says companies should also look abroad when looking to boost their cyber-security talent.
"One of the best places in the world to find cyber-security talent is Israel. Israel is known as a hotbed for cyber-security innovation and talent, mostly due to its elite intelligence corps units (including the famous 8200, an equivalent to the NSA)," Schreiber says.
"Israel enjoys a steady stream of talented cyber-security experts, who receive several years of training and hands-on experience dealing with the most cutting-edge cyber-security operations and dealing with some of the world’s most complicated challenges."
Schreiber adds that many of these individuals often take the entrepreneurial route and that a healthy number of Israeli cyber-security companies are being acquired every year by multinational security and tech giants such as: Microsoft, Cisco Palo Alto Networks, and Symantec.
In addition, companies should look to develop relationships with local schools and universities as well as take opportunities to showcase their companies to grads looking for internships or post degree jobs, he adds.
Schilling says when assessing talent pools firms should make their vision clear and build a culture of relentless pursuit of security and protection.
"When assessing talent, I always ask people about their home networks, to understand if information technology and security is a hobby and passion," Schilling says. "Folks that nail that answer tell me about the Pix firewall they built for their home network, or complain their home internet service provider does not give adequate access to network logs they want to parse for malicious activity. If they have personal public cloud infrastructure, bonus!"
Experts agree. Pearson explains that it’s also a good idea to give mock problems for potential candidates to solve that are similar to an issue they face in their day to day duties.
"That’s much more telling and productive than the standard interview questions," Pearson. "I don’t want to know if they can memorise and repeat things, I want to know that they can think on their feet and have a drive to solve puzzles and get to the bottom of a challenge. In fact, I’m just as happy if people ask questions during an interview versus always answering them."
Pearson says when you give those types of people ownership and an ability to prove themselves, it lifts them up and drives success and that one person’s success breeds more success.
Cyber-crime is increasing and by 2021 could cost companies US$ 6 trillion (£4.6 trillion), making it more profitable than the global trade of all illegal drugs combined. O’Gorman says there is no shortage of awareness of cyber-crime’s importance but there is a significant lack of action in addressing it.
"Few are doing more than complaining, and fighting over the few qualified workers that there are," O’Gorman says. "What they should actually be focusing on however is identifying training opportunities for their current workforce that they can point those interested in cyber-security to."
Ultimately it is up to organisations to invest in finding new talent and better optimizing the IT teams they have.
This article was originally published on SC Media US.