Security skills shortage will worsen if firms don't change their ways
The global shortage of cyber security skills is likely to continue, mainly because businesses are focused on doing only one thing – hiring new talent instead of incorporating training on the job initiatives.
The panel examined strategies for bridging the security skills gap and centred on understanding the reasons behind the lack of security skills available locally and across the globe. The panellists agreed that the lack of internal talent production, combined with a high dependency on managed service providers and technology solutions, would likely worsen the security skills drought and fuel a rise in cyber crime.
“It seems as if every year there is a continuous shortage of security skills and this could be partly because organisations need to focus not only recruiting but also on developing an internal talent pool. At the same time they need to ensure that talent is retained,” said Frank Kim, founder at cyber security consulting firm, ThinkSec, and fellow at security training institute, SANS Institute.
“The reason why this can be challenging is that information security is a multi-disciplinary field and the people in this field need to know about networks, systems, end-points and applications. Somebody that might be new to this space could be a little bit overwhelmed by that. There definitely needs to be more done in terms of pushing that foundational knowledge throughout the industry.”
Tools versus skills dichotomy
James Lyne, founder of CyberStart and CTO at SANS Institute, noted that company management and HR departments are often persuaded by vendors that all they need to bridge the skills gap in their organisation is to get the right managed service provider and advanced tools.
“Managers are faced with the dichotomy of trying to balance the tools with the right internal skills. A lot of the technology that was considered advanced five years ago is just foundational today. So we can’t ignore that the core technology basis that is out there is consistently shifting. As a manager, you are always trying to figure out what are the key entry level skills you need to fill. So sometimes it may seem easier to just buy the latest tools.. but then they may run into issues because they don’t have the right skills to make those tools effective,” noted Lyne.
"We need to do a better job with the people who have decided they want to be in cyber security and allow them to succeed in various roles within the profession. You don’t want someone going to be a surgeon, doing so without first studying the anatomy."James Lyne, founder of CyberStart and CTO at SANS Institute.
In IT and cyber security, there is a huge amount of knowledge that is required to be at the top of the field, said Lyne, and this is equivalent to being a doctor or the most intricate scientist. This is mainly because cyber security is the supporting pillar of pretty much everything in the digital age, as more advanced technologies are introduced in the business arena.
“We need to do a better job with the people who have decided that they want to be in cyber security and allow them to succeed in various roles within the profession. You don’t want someone going to be a surgeon, doing so without first studying the anatomy,” asserted Lyne.
Jordaan highlighted the big drive within a lot of organisations to almost only focus on the capital investment – the purchase of the big tools – and not so much on the development of the individual member of staff.
Shedding light on how this can be addressed, Rob Lee, chief curriculum director and faculty lead at SANS Institute, pointed out that buying the tool without the fundamental knowledge to use it has always led to the skills gap that exists in the cyber security field today.
“When you look back in time within the field, you realise that it’s never been the tool that makes the practitioner. Most companies are struggling with this because of the way that they approach general hiring practices – they overshoot – and as a result of that, they aren’t able to hire the right people,” added Lee.
“It’s a concerted effort to develop those individuals from the start and it needs to be a definitive recruiting effort where organisations are going to bring people in, train them and build them through the next five years of their career,” he Lee concluded.