Cyber Security Skills Shortage

So, in my last post, I wrote how getting a digital identity is not just a need but a must have to further your career in Cyber security. Before writing any other technical post, I want to give my opinion on the much hyped cyber security skills shortage.

As per the New York Times article, “Cybersecurity Talent Crunch Will Create 3.5 Million Unfilled Jobs Globally By 2021”. This number was estimated to be one million in 2014, and its only getting worse by the day. Lets talk about the consequences of such an industry wide skills shortage.

Needless to say, recruiters are under much pressure to fill in the positions, which has resulted in setting the bar really low for new candidates. You will see many cases of unqualified and inexperienced candidates getting placed in critical cyber security roles. Here are some cases that I have seen play out over the course of my career.

A senior software developer was transferred to the information security team, to perform secure code reviews, as a regulatory requirement. It was promised that she will be trained for this, as she didn’t have the relevant experience. Few months down the line, not only did she not receive any training at all, since her team member resigned, she was assigned full-on information security governance tasks.

A fresher was successfully placed as a Senior Information Security Specialist just because he had Masters degree in Cyber Security. He might have been confident enough and able to crack the interview, but the lack of experience and skills led to a point of embarrassment for the management after hiring him.

The other side i.e. cyber security vendors have equally suffered due to this crunch. More often than not, vendors are hard pressed to find the right candidate in a short amount of time for a newly acquired client/project. Although, partially they have themselves to blame, as they tend to keep the budget limited, to maximize their profit. The only way this ends is by bringing a low skilled resource on board and then train him on how to exaggerate his experience level and skills after going to client side.

A similar thing happened when I was doing an application PT project. We were critically short of resource and had strict deadlines from the client. To my surprise one of the new guys who joined us onsite had no experience with application security. The only reason he was hired was because he was willing to join immediately, and came within the allocated budget. The end result was that although we could barely meet the deadline, the new guy got himself fired in few months only as he just didn’t have the skills for such a role.

A few years back, there was a requirement from another client for an ArcSight admin, which is a SIEM tool. It was fulfilled by hiring a Level 1 analyst. He only had experience of monitoring events on ArcSight, but no experience of maintenance or integrating new devices. Although, he had cracked the interview by doing some self study, he was not in a position to manage the platform all by himself. Complaints started coming just after a few days of going onsite. The whole project got cancelled, payment was not done by client and it didn't end well for anyone.

I can go on and on about such cases. But in the end it comes down to the shortage of skilled resources in a domain which is relatively new. The important point to note here is that there is a shortage of skilled resources, and not just resources. Below incident makes this point very well.

We had two vacancies for junior positions in appsec role. The idea was to hire someone with good fundamentals and provide training for them on the job. As it was a walkin interview, more than twenty people had showed up, out of which around ten were CEH certified. Surprisingly, at the end we could only hire one guy and other position was left vacant. None of the rest could answer simple basic questions on application security.

Another consequence of this shortage is the low retention rates for skilled cyber security practitioners. This is a natural outcome since there are ample opportunities to chose from, and its getting increasingly difficult to retain people in cyber security. The shortage of cyber security skills is real and its only going to set worse in the coming years. We are potentially looking at a scenario where every IT position is going to be a cyber security position. If you are developer or an administrator, having knowledge of basics information security concepts is going to be an absolute must. All of the above factors coupled with exponential increase in cyber crimes, has further heightened the crisis.