A simple cure for the cybersecurity skills shortage

An approach that has worked for centuries in all sorts of industries is just as applicable to the security field

There's a simple solution to the lack of skilled cybersecurity professionals. Which is not to say that it will be easy.

People constantly bemoan the dearth of skilled cybersecurity personnel, especially after a high-profile breach. And we hear a lot of proposals for fixing the problem: more certifications, more training, more research. All of these solutions amount to lobbying; they come from certification bodies, training companies and university researchers.

I don't deny that those proposed solutions are useful for improving some aspect of cybersecurity knowledge, skills and abilities. But taken all together, they won't give you a skilled practitioner. They won't even give you a competent practitioner. The best of these suggestions might be certification, but not all certifications are created equal. Certifications that require work experience are far superior to those that don't. Having extensive experience applying the knowledge embodied by the certification is the only way to demonstrate that you can provide expertise in securing an organization in practice.

Beyond certifications, though, experience is always the key in developing skilled security practitioners.

Many people would say that the National Security Agency, where I used to work, is the world's leader in cybersecurity, and has been for four decades. Given that reputation, it's interesting to think about how it came to occupy the pinnacle of cybersecurity competence.

The first thing that strikes me is that the NSA draws its staff from the same pool of personnel that's available to industry. Its potential employees don't have any unique knowledge, skills or abilities unavailable to private enterprises. What the NSA does is to hire people with appropriate backgrounds and skill sets and then build on those skills with on-the-job training and mentorship. It's that simple, but as I said, not necessarily easy.

This sort of thing is the normal practice in other industries. A new graduate with an architecture degree is not going to be hired to design a landmark building. Instead, he or she will work for years supporting a team of experienced architects, gradually taking on more responsibilities commensurate with his or her accumulating skills and experience. The same is true of engineers, and even of those in less prestigious professions, like plumbing. Why should we expect cybersecurity to be any different?

When I applied to the NSA, I had to take aptitude tests, which showed that I had high computer aptitude. I was offered a position in the Computer Systems Intern Program, where I had rotating job assignments in the computer field while attending various computer-related classes. Those classes were virtually the same as those taught at most colleges. My work assignments varied in responsibility, but that responsibility was always commensurate with my abilities. I was not looked to as an expert. Expertise takes time to develop and has little to do with the number of classes taken, certifications awarded or degrees attained.

My assignments involved programming, systems and network administration, cryptanalytic programming, database design and administration, white- and black-box software testing, and other functional roles. While none of those roles directly involved security per se, they all involved security when done properly.

The tactic that the NSA used was to add security skills, gained through experience, to competent individuals, rather than to take cybersecurity graduates and throw them into security matters with no experience. Even the highly accomplished NSA Tailored Access Operations unit was not staffed with people with degrees or certifications in cybersecurity, but with really smart IT professionals who understood the underlying technologies and were able to figure out how to exploit them.

When you look at the early experts in security, including those at the NSA, none was a formally trained security expert. They were either transplants from other areas of information technology, or they were considered to have exceptional ability and were mentored.

So when you look at the cybersecurity skills shortage, think about what is already working, at the NSA and in other industries: starting with capable people (even though their skill sets might be tangential) and having them apprentice under skilled people.

This approach takes time, effort and money. It's not easy. It is, however, what actually works.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon