Desperate measures
Just how hard is it to find people?
Benway tells the story of one global technology company whose stringent hiring standards have made it a target for poaching security talent – even before that talent shows up for work. "One of their competitors has a policy now that if this particular company makes an offer to any individual, the competitor company will offer that individual 10% more. Sight unseen, no interview necessary, because they know they've made it past that particular bar," Benway says. "That's the kind of thing some of these companies are facing."
One reason it's hard to find people is the maturity of the profession. Roles such as SAP architect or Java developer are mature, well defined jobs with established skill sets and training protocols. By comparison, cybersecurity is relatively new, Jethi says.
Experts agree more education and training is critical to increase the candidate ranks. "One of industry biggest concerns, or criticisms, relative to security talent that’s coming out of colleges and universities is that ... the academic learning is terrific, but you really need hands-on experience in cyber security environment," Benway says.
Jethi agrees. While many colleges and universities are trying to bolster their cybersecurity curriculum, in the meantime, "there is no ready pool of talent that you can groom and train," he says. To help address this issue, Cisco is running a pilot program with Duke University and Purdue University. "We're looking for people with engineering, analytical, and data backgrounds and abilities and interest, and we're offering them internships with our security business," Jethi says. The interns work on site at Cisco’s security operations centers. "Even while they're in school, the internship allows them to get specialized exposure to the cybersecurity program."
If the pilot goes well, Cisco plans to expand the program to other universities. "They're not experts, obviously, on day one, but they start out with a much better view of what the cybersecurity world looks like and how to prepare to work in an environment,” Jethi says.
Within schools, getting students exposed to real-world conditions is a growing priority for cybersecurity educators. UMass’s Wilson notes how other fields prioritize hands-on work: "My son is a first year medical student, but already he's doing surgeries a couple of times a week. He has lab courses and he has academic learning. He's getting hands-on experience right from day one,” Wilson says. “I think that's an area that we need to do a lot better job of, as far as cyber security is concerned."
The Burning Glass report turned out to be a catalyst for UMass to bolster its cybersecurity academic programs – an initiative that’s being driven from the school's top leaders. The university also is boosting its research focus. Participation in ACSC is one way that UMass is partnering with industry to develop the criteria for its academic programs. “We recognize that we can't develop curriculum in a vacuum outside of industry,” Wilson says. “Collaboration is really critical to anything we do in this area."
For its part, ACSC is working to launch a fellowship program that will connect students with industry players to improve talent development. Harvard, MIT, Boston University, Northeastern University, UMass, and Worcester Polytechnic Institute are all ACSC members.
"The idea is to identify the talent within these universities, and connect them with industry members in form of fellowships that are related to the areas of research these students are pursuing -- which are also areas of interest for the industry folks,” Benway says. Once launched, the fellowship program will then feed into boarder collaboration on R&D projects and solutions, he says.
More training and education also are needed for IT pros who’ve already begun their careers. There are opportunities for people skilled in incident response, for example, or risk professionals, to transition into cybersecurity roles. "People who understand the business world, and processes, and have an aptitude for technology, whether they're actually in the technology organization or not. They can be potential candidates today as well,” Stroud says.
But it takes work. "There's a defined lack of training available right now. We want to bring some of those training courses in," Stroud says. "That's one of the reasons why ISACA transitioned into this space. We saw this need, over the complete career and various skill sets, of a security professional's progression.”
ISACA administers four certifications -- Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC). Last year, the organization launched the Cybersecurity Nexus (CSX) program, which specifically targets cybersecurity skills development with research, education, certificates and certifications, and industry mentoring programs.
How picky is too picky?
UMass is able to hire student workers and recent graduates in greater numbers than a lot of organizations, Wilson says, but the university still struggles to fill more senior security roles. "The higher level positions, or the more senior level positions, we still have difficulty finding the right talent, just like any other industry.”
At the senior level, the qualities that make a strong candidate are a combination of technical acumen and business skills.
“You need technical skills, because you have to figure out what's going on. It's not always easy, because the adversaries are getting better and better. To diagnose, to figure out whether or not you're being attacked, to identify root cause, and to figure out whether any information has been infiltrated -- it's not straightforward,” Wilson says. At the same time, candidates need strong business and communication skills. “While you're fighting the fire you need to be communicating with executive management.”
Akamai’s Ellis views the staffing challenges differently than many of his peers. "There are areas of the country where finding people with a specific seniority level is really challenging,” he says, but “that doesn’t mean that there's a shortage overall.”
It depends on your hiring criteria – and where you’re looking for talent, Ellis says. “If you say, 'I'm looking for a CISSP,’ recruiters will find you someone. If you say, 'I want somebody who deeply understands safety analysis,’ it's a hard problem especially because there aren't a lot of them in the security community yet.”
In particular, candidates that fall between mid-level technical staff and senior staff can be scarce. “When you want people to already have 10 years of security experience, and a deep technical background -- there really is a shortage of good quality folks like that,” Ellis says.
Akamai’s solution is to venture outside the security community for many of its hires. The company recruits people who have done release management, or software engineering, or safety and hazard analysis, for instance. Or people who come from a different technical background entirely, such as biochemists. (See the full story, Akamai CSO takes a creative approach to finding security pros)
While Akamai casts a wide net for security talent, one quality that’s highly valued is passion. “We look for people who are really bright, who are passionate about something,” Ellis says. It would be nice if that something was security, but it doesn’t have to be.
Admittedly, not every company has the resources to turn bright people into cybersecurity professionals. An out-of-the-box hiring approach takes extra work on the part of recruiters, hiring managers, and the people who train newcomers.
"Instead of the problem being that I can't find good people, my problem is that I have to turn great people into great assets,” Ellis says. “Now you have to make sure that they learn your systems, that they learn security and understand the language, and that you can mentor them.”
Some of that hard work is unavoidable. Whether a company sets out to hire someone with a traditional cybersecurity resume or from a nontraditional path, there are going to be compromises -- the idea of finding someone who can immediately do everything and doesn't have to learn anything is absurd. “You're going to have a hard time if that’s your standard,” Ellis says.
No one hire will fill all the gaps, and continuing education and training is imperative to build a strong security team. "There's no magic potion here," Stroud says. "It has to be a sustained and continuous program.”
This story, "Shortage of IT security pros worsens" was originally published by Network World.