Interview: Firemon's Matt Hines on how to reduce that massive security skills shortage

ITProPortal probed Matt Hines, Product Manager at Security Management company Firemon, about the very real security threats induced by the skills shortage and what can be done to mitigate it before it is too late.

Is there a cyber security skills shortage?

There's no question that there is an acute shortage of experienced IT security professionals, and this has been evidenced through a number of research projects, perhaps best by the (ISC)² Global Information Security Workforce Study which estimated that it would take up to twenty years before training efforts close the gap in supply versus demand in terms of available workers. The most significant issue will be on the high and low ends of the spectrum, in terms of applicable skills. You will likely have people being put in place in entry level operational IT security jobs who simply do not have enough background to do the work to its fullest, and you will have people elevated into management positions sooner than they might, based on sheer demand alone. As you can imagine, this will also make life harder on workers in mid-level positions as they will be the ones who have to pick up the slack.

What is causing this shortage?

The shortage problem is twofold, because you have both a dramatically increasing demand for trained professionals, which greatly overshadows current availability of experienced people – there's simply more demand than in years past, and you can't just create seasoned workers out of thin air. Most available training is focused on helping experienced workers gain certifications to move up into various areas of specialisation or management, there are far too few university level training programs that focus on the skills that are truly in demand. The classes that are available tend to focus on running reports and looking at results, not the day-to-day functions of keeping an organisation protected.

What are the skills that are most in demand?

The most significant shortage is among those workers directly responsible for doing the hands-on work necessary to defend networks and systems. This is because these are the most in-demand professionals out there and they must be workers who have considerable experience to do it well. There simply aren't enough trained people out there right now which result in both a shortfall in qualified individuals and the use of inexperienced people when there's no other choice. These would include people such as network security administrators, remediation staff, vulnerability and compliance audit specialists and pen testers. These are not entry level positions, and even equipped with some certification or training, the lack of hands-on work experience is still a huge challenge.

How can the security industry help address this shortage?

There are a number of different ways to help address the shortfall of experienced professionals by encouraging more training and certification efforts at the university level and making related donations, as well as by sponsoring organisations that provide training, such as the SANS Institute. This will hopefully result in a larger number of trained professionals, but you can't just make-up for the issues around lack of experience overnight. A great deal of the responsibility actually falls on the end user organisations; they will only be well staffed if they are willing to invest in making it so themselves, and I don't mean from a hiring standpoint as clearly there is a fixed range of potential candidates. Organisations need to invest in their employees, allowing them to participate in added training to broaden their skill sets. There's often a fear that once these workers get added certification, they'll job hop, so organisations should recognise employees achievements through some form, from a pay or bonus standpoint.

What needs to be done from an Education standpoint?

It's fair to say that there needs to be far more universities that offer IT security as a formal curriculum, that have the proper set of courses and trainers to create a whole new generation of security professionals. These people will obviously be cross trained and given some education about many areas of practice, but there should also be higher level courses for specialised areas including network security, audit, vulnerability management and penetration testing, etc. Obviously you could see schools offering masters and perhaps even PhD programs, it's a vital field of scientific research so you would think this should already be the case, but I haven't heard that much about those types of programs. Again, perhaps this is where the industry can help by making donations to schools that are willing to launch such programs. Many security pros here in the U.S. come from military backgrounds as of course there's always been an emphasis on security. The armed forces in any country could easily promote this as a field of good promise for post-enlistment career potential.

Could the skills shortage help to drive technology innovation?

Of this, there is certainly no question. Remember that automation, the whole concept really, was essentially invented to help expand the capabilities of human workers, and in some places make up for live bodies, through building these systems that do some of the work. Now, one always has to believe that having a larger team of well-trained, experienced staffers is going to provide the best value, but whether you can only afford, or find, a smaller group, or even with a robust staff, arming those pros with the best available tools is going to help immensely. Some issues around firewall management, for instance, are truly based on the scale of the network; few organisations can assign a staffer to oversee a small subset of devices if they have, as many large organisations do today, thousands of boxes. This is where automation can really help, providing visibility and validation to ensure that all the firewalls are in place, up to date in terms of policy and adding up as a whole to provide adequate protection. In fact it wouldn't make sense at all to hire all those people if you could find them and afford them, you'd be smarter to use automation in this instance and assign people to more hands on tasks that haven't already been addressed via computing capabilities.

What is the current effect on the security industry/market?

There are a myriad of troubling results but maintaining proper defenses on day-to-day basis is the real problem. As you can imagine, if you have inexperienced staff charged with keeping network security device policies tuned to support changing business needs and to stop the latest attacks, that's a fairly demanding process and relatively minor mistakes in applying policies or changing access can lead to disastrous results. The potential impact is as extreme as it can be because the tolerances are so severe these days with the volume of attackers and variety of techniques they employ. Attackers only need to identify a very low level point of access to get into the network, and then from there they can seek to advance their position until they reach sensitive systems or data. Most successful attacks utilise very simple security shortcomings to gain initial access.

Education? As a vendor/employer what skills do you look for in an interviewee? Is a formal education important?

Several of my peers in operations for various sized organisations and they uniformly agreed that the number one thing they look for is real-world experience. All the training in the world, as valuable as it is, cannot replace time spent in the trenches learning the nuances of real-world, day-to-day operations. Someone with years of hands-on experience has a big advantage over another candidate with a degree but fewer hours on the job. So that's a bit of a catch-22 when clearly there is a skills gap, workers have a lot of power and know they are in demand, which makes it tough for managers and hiring agents alike. People job hop, and that's accepted, but you don't want someone to leave a few months after arrival just because they got a better offer elsewhere, there has to be some mutual respect in terms of negotiating benefits and being willing to stay at a job for a certain amount of time. Secondly, organisations are looking for people who are willing to learn.

No doubt employers want to see a degree or certain certs, but they also want to hear that candidates are willing to learn new skills, wear different hats, and it also comes through that they're looking for team players. The stereotype of the guy in black hiding in the server room is quickly becoming just that, as organisations need people who can both work together with colleagues in security and help communicate various policies or parameters to people outside of security. If you want to be the misanthropic worker who just stares at feeds all day I'm sure you can find it if you know your stuff, but, if you want to move up the food chain, I think you need to be more of a business, or user-friendly face than perhaps you did in years past.

Is the security skills gap widening or are we closing the gap. What is being done right/wrong?

Despite the fact that there are far more experienced pros out there than ever before and an increasing number of training programs, the sheer ubiquity of the demand does point to a gap that is still widening. A recent report found that demand for cybersecurity professionals has grown more than 3.5 times faster than for other IT skill sets over the last five or so years. IT security isn't just the domain of a few select experts; it's a field whose skills have over the course of several years become an area of need for almost every organisation. You can't just account for that overnight and hopefully the gap will narrow based on more trained workers and the availability of better automated solutions to enable their work and expand their reach.

Awareness of all of this has been heightened greatly with the mainstream media coverage of intrusions etc. and that is always good thing, organisations have to start by building awareness of an issue if you hope to make progress and hopefully the headlines have encouraged interest among students and people looking to make a shift mid-career. The only mistake that I can think of would be people who are discounting the need for more workers as fear-mongering promoted by individuals seeking higher salaries or vendors attempting to sell them products. Anyone who has taken a close look at the current environment has to recognise that the problem has grown leaps and bounds and this absolutely demands more attention and therein more skilled experts on the job. There will always be those business executives who are so focused on the bottom line or overhead that they write it off, and those who do will grow to regret it.