public

Some of the [Many] Problems with Security Skills

Some of the problems with Security/Infosec/Insert whatever you want to call this industry here and the discussion around skills shortage plus realisation that the expectation vs reality on both sides of the fence needs to be reaffirmed.

2 months ago

Latest Post LTR102 - Teaser by Andy Gill public

More extended title; Some of the problems with Security/Infosec/Insert whatever you want to call this industry here and the discussion around skills shortage plus realisation that the expectation vs reality on both sides of the fence needs to be reaffirmed.

I usually publish technical blog posts, but this one will not be technical for once.

This blog post is my opinion about the skills shortage and the differing views between expectation and reality in the industry that is computer security(or cyber if you're new here). I originally started writing it in 2019 and it all started from a tweet ( it always does), simply asking if a 0% unemployment in Security was fact or fiction.

I picked this post back up in 2021 asking if there was a people or skills shortage and the overwhelming response was 'yes' there is a shortage of both folks with the correct skills and bodies to fill the roles; this has been expanding at a constant rate over the last few years.

So before diving in feet first, here is a shortlist of the current points that are discussed a lot surrounding the issue of shortage of skills in the security biz:

I asked the internet if there is indeed a skills shortage (twice):

Is there a skills shortage in Security?β€” π™°πš—πšπš’ (@ZephrFish) June 28, 2019

And after 434 votes, 3/4 said yes(on both occasions) there is indeed. Perfect, I thought, this argument is justified. Little did I know by posting the question I'd bitten off more than I could chew, queue hundreds of replies, DMs and E-Mails with everyone telling me their personal view on the way things are and how one area is lacking but another is not.

Differing Views

With all of that said, I set out to speak to lots of different people about their views on what the skills or people shortage really is and how we can work to improve it as a collective industry.

There is an overarching cybersecurity skills shortage, not just a shortage of pentesters. The deficit is across the board and affects all manner of industries because there are focused jobs that are 'cyber'; however, any IT position will involve some security exposure even if it is minimal. There was an IT skills shortage a while back, but now that industry is booming, the same shortage has been passed across to security.

Dialling down the measurement of the shortage depends on who you listen to, the collective governments define those in cyber across all industries. In contrast, the media generally represents those in cyber or more the shortage based on the number of open job requisites on forums, boards, job sites, etc.

Employers' Views

The biggest thing to come out of 2020 was an uptick in companies hiring, mainly due to many folks uncertain of their future and sitting in their current roles. This led to many openings being created, not only in the current job market but those starting their path into the industry. This continued to grow as educational institutions moved to teach remotely, leading to more folks coming through various schools. Thus, a more significant number of folks moved to start their journey.

So to answer the question on is there skills shortage? The main issue here from an employer perspective is that while the market may be flooded with bodies and skillsets at points in time, it's not the talent that everyone wants or the skill level required. More often than not, when seniors in a company leave, it is much harder to replace them than recruit folks for more entry-level positions. The other limiting factor that many companies overlook is internal training; if/when you lose a senior member of staff why not invest in your current staff to enrich their skillsets and train them up to a level where they can step up to the mark and start learning more?

New Candidates

The other factor that plays into a lot of employers' views on things is time to train and deliver(depending on the field). This is where new candidates can be a significant risk but often are good ones to take as by taking the risk of training someone up, they can potentially be prepared to pass their learned skills onto the next generation.

For a while, there was a massive skills shortage in specific security areas, so the university courses and self-study courses were geared towards offensive security to try and fill those gaps.

Again the market moves in waves, there is forever a shortage in the defensive sphere with not enough focus on the entry positions, many new candidates to the industry are all geared up for hacking or focused on pentesting with little thoughts given to the real heroes of this story(the blue team). So the skills shortage lies not just in one specific field but as I've stated earlier in multiple areas. The issues also stem from candidates focusing on pure security roles but often forgetting or not realising that security can be baked into many other roles and industries.

Conclusion

So, is there a skills shortage?

Yes and no...

There's no single solution for the many problems. Sadly, it is shared with a lack of understanding between all sides. We can collectively open up and help folks in all areas; if you are hiring, tell people and be more precise with what you are after; if the candidate does not have the required skills, offer training if it is feasible. If you are looking for jobs, try other areas, too, not just your focal point, as you will find your skillset is diverse and often, many paths lead to a fruitful career.

Andy Gill

Published 2 months ago