The gap within the skills gap: What does cybersecurity really need?
I recently took to LinkedIn to air my views on one of the most talked-about topics in the world of tech: the cybersecurity skills gap. The skill gap is often discussed in urgent terms and, given my job as a cybersecurity recruiter, I see how it plays out in practice. But information security is a broad discipline, and I think we need to be more specific when we talk about a “skills gap.” I believe the genuine talent shortage is in hands-on areas, like application security and DevSecOps.
Last year, Forbes released an article stating that the cybersecurity skills gap is an “industry crisis.” As attacks get worse and more commonplace, it noted that companies need cybersecurity professionals more and more. But because of a perfect storm of scarce skills and high demand, security jobs come with a high salary, meaning that businesses not only struggle to find the right people, they have to pay top-dollar to get them.
All of that means that cyber-criminals are having a field day, as the article illustrates. Attackers take advantage of ill-prepared companies, knowing that they are likely to be successful. It’s clear that the industry does need to improve, for the sake of customers and businesses alike.
And to do that, we need good people, with the right skills. The industry has known for a while that those people are not easy to come by – there are simply not enough of them. There are a lot of reasons for that shortage, and it’s worth bearing in mind that it’s not the easiest industry to work in; the stress of the work means that mental health issues are rife.
But I think that it’s not enough to say that we need to “fix the skills gap.” We need to delve deeper into where that gap actually is, how it comes about, and what we can do to fix it.
In my view, the really hard-to-find people are professionals with hands-on experience, who can competently throw themselves into application security and DevSecOps teams. As I wrote in my original LinkedIn post, these are areas where you may actually have to get your hands dirty, not just consult on what should be done.
From my experience in the cybersecurity recruitment industry, I think this gap exists because the most common route into technical AppSec is through a programming background. The job requires people with the right technical skills as well as a security-focused mindset, creating a hard-to-find niche. With hands-on roles, you need to be technically proficient as well as be able to understand and integrate security into the work. That’s not an easy thing to find.
A few industry insiders got in touch to give me their views on this problem. For Allan Degnan, DevSecOps/Security lead at Dixons Carphone, it remains about the people. By giving security staff opportunities to progress while remaining in a technical role, those talented people will be able to achieve the personal success that they want, while remaining in the technical positions that they enjoy and have trained for, rather than having to become managers.
Mario Platt, director of cyber security at Broadlight, told me that it’s about getting non-technical people comfortable with “actually touching tech” – and to do that, they need to be given the space to fail, he said.
What we don’t need are more consultants. Security consultants, of course, are valuable contributors to the cybersecurity world. But for now, we need to roll up our sleeves, and dig into addressing the skills gap in targeted fashion.
(This post originally appeared on the ISACA blog, which can be viewed here).