We Need to Kill the ‘Security Analyst’

An oft-overlooked aspect of what’s wrong with security hiring, and how we can fix it…

Tl;Dr(1/3) — not literally kill them… just the nascent idea of a ‘security person’. Employers need to stop just going “oh, we need a security… person… analyst… thing…” and instead up their game when it comes to identifying and then recruiting the tech and security talent they need to manage their threats effectively. If we improve this, the right people are hired, people can see clearly what skills they need to acquire, and threats get mitigated.

As such, we present a draft Infosec Skills Matrix — a document that matches roles to desired and necessary skills, designed to aid better facilitation of hiring decisions for CISOs, hiring managers, but also as guidance to students and educators.

Win, win, win…

The Security Analyst in their natural habitat…

So, what the hell do you mean, Mark?

I regularly hear two things in infosec hiring:

  1. We have a skills gap!!
  2. We have a diversity gap!!

…and both are correct, I think. The former I will better define below.

With respect to the latter, there is a huge diversity problem, but this is not my area of expertise. I do what I can with @bsidesleeds to make what small changes I can to make a more inclusive and welcoming space there, but that isn’t the topic of discussion I want to explore here. The multitudinous merits of a diverse workplace, with all the amazing solutions possible when multiple and different points of view meet at the nexus of a problem and the subsequent praxis into workable solutions are, I think, obvious.

Additionally, I think infosec is very well covered off when it comes to ‘leadership’ stuff — CISSPs, endless CISO trainings and meetings, etc. There are some very good people leading pioneering organisations and coming up with the Big Ideasthat we need to motivate and educate people about security into the second quarter of this century.

The Skills Gap is Wider Than We Think…

But the tech ‘skills gap’ is something I have personally witnessed, and it is there. People applying for roles without an understanding of what the role really entails.

I have had to ‘use my nose’ with candidates to work out if, when they say they are motivated autodidacts (of which I, too, am one… I was a violinist first, after all…) they in fact are, or people who need just want to be Mr. Robot, or think they look good in a hoodie.

I would like to wax lyrical about how I’m yet to see a woman or someone from an URM that was a poser in an interview, but again, this is not what I’m on about…

The issue I want to address is how I have had some stellar candidates infront of me for hiring purposes, and I have to assess not how skilled they are, but how well they’re going to adjust their presented skillsets to a new and very different environment.

But isn’t this just what happens when you move jobs?

Yes. But it shouldn’t be a concern for someone’s first role… This is something I am having to think about with those entering the industry, as well as seasoned pros.

It’s not right.

This is because there isn’t so much a ‘skills gap’ as much as a ‘skills mismatch’. In short:

We’re not seeing the skills we need and want as we’re not properly defining what the actual needs and requirements are.

The Skills Mismatch Is the Industry’s Fault…

Tl;Dr(2/3) — Employers are not properly defining what they want from candidates, which means candidates and educators don’t know what skills to acquire/teach, and as such this is a group problem.

The line of thought in nearly every business that is hiring security people is roughly as follows:

  1. “Gee, this security thing is a big deal! We’d better find someone for that…”
  2. “So, let’s hire a security person… not a manager, as we already have plenty of those… so a security… analyst?”
  3. “Sounds good… I’ll put it on the Google…”

And so a job role advert is born. But because of this default parlance, we are forced into the minutiae as to deciphering what the organisation actually wants to hire. As such, no two security analyst roles are alike…

At all…

To illustrate, let’s look at these two lists of requirements chosen at random from a Google search top 10 results…

Security Analyst position 1:

  • Install security measures and operate software to protect systems, infrastructure and data
  • Ensure that IT security is implemented, maintained and tested, for perimeter and back office systems
  • Investigate and document security breaches and incidents, participate as part of an incident management team
  • Work with the security team to perform tests and uncover network and system vulnerabilities
  • Fix detected vulnerabilities to maintain a highly secure IT infrastructure
  • Design and implement penetration testing and vulnerability scanning
  • Provide the leadership and management of the patch management and upgrade procedures

Security Analyst position 2:

  • Ensure Quality of Critical Business Systems is kept high at all times
  • Responsible for Identifying IT Security Risks to provide Remediation and IT Security Management Plans
  • Involved in multiple exciting projects and responsible for being and keeping the client’s aware of emerging threats
  • Involved in all aspects of IT Security Management including Vulnerability Assessment
  • Attends Training, Meetings as requested by Senior Management.

Genuinely, these are two I just chose at random with a silent criteria that they had bullet points I could copy/paste into this article.

OK, so what’s the problem??

Well, just look at them! They are supposed to be for the same role! Both are £35–38k per year. Both require 5 years in IT, and a smorgasbord of certs that I’ve never had, and I consult to large companies on security.

Both roles deal with vulnerability identification response differently — the first saying an analyst will be fixing vulns (so, they need sysadmin experience) and the second saying they will just identify stuff (leaving the fixing to others, presumably).

I could go on, and on, and on about how disparate these role definitions are, but I think it’s fairly obvious to any logic-capable person, of which, dear reader, I am sure you are.

This Isn’t Just About Tech

Tl;Dr(3/3) — We need to talk about roles and how they meaningfully connect to skills. To this end, we have created a skills matrix (see below) to aid this conversation, that has performed well in actual field testing.

It is easy to cop-out and declare “We just need new certs!”, which is the default cry from those who deal with problems by means of money as opposed to carefully considered thought.

We need a solution to the following problems:

  1. Hiring Managers need to know how to better describe what skills they need
  2. Educators need to better prepare their students for the roles they want to place said students into
  3. Students ARE DESPERATE for better, informed guidance on what skills they should be learning or trying to acquire

The prevalence of a non-contextual ‘default skillset’ for infosec is, paradoxically, killing infosec!!

Here’s my hypothesis:

If students knew better what to learn, educators knew better what they needed to teach, and hiring and tech managers knew better what to look for when hiring, then businesses will be better protected against threats.

A Proposal for Part of the Fix

There is no one-shot ultra-fix for this. Some of these issues are deep, ingrained, and problematic for all. But there is, I think, something that will help.

An Infosec Skills Matrix.

Here’s what I’m talking about:

Here’s a quick overview about what this document does:

  • Firstly, it maps skills to roles — as such, it is a better list of roles that you could hire/apply for than just ‘security analyst’, and is designed to help both parties work out what role description works better.
  • Skills are signalled using traffic light scores for ‘necessary for role’, ‘nice to have for role’ and ‘good in an ideal world’.
  • Skills are loose enough to permit industry specific differences, but specific enough to give rise to meaningful google/bing/library search results.
  • It is in a representational form that is easy to manipulate, update, and fix.

The intention is that we will update this and it will become a living document. Forked versions are also welcome.

But who is the ‘we’? Myself (Mark Carney, AKA Mark), and Dennis Groves (of OWASP fame). It is the first step in a number of steps to try and help improve some of the career and management ‘mechanics’ in the industry, and also has details borne from my work with Winn Schwartau on the Analogue Network Security project.

I have also had significant input from various parties on this, including:

  • hiring managers
  • recruiters
  • students
  • lecturers
  • workshop/training leaders
  • technical managers
  • consultant professionals

and many more roles. But…

We want your feedback!

We need this discussion, and we’re hoping to spark this conversation and through constructive feedback stimulate and build off honest conversations about infosec hiring.

But for these to happen, we need a starting point… so here it is!

My thanks for your time. M.