Building the next generation of cyber professionals
According to ISC(2), by 2020 there’s expected to be a global shortfall of 1.5 million cybersecurity experts.
Finding, hiring, developing, and retaining cybersecurity professionals is one of the biggest challenges for any enterprise and has led to a significant rise in managed security services providers (MSSPs). These providers can usually perform IT security monitoring at a lower cost than an organisation would pay to perform such functions internally. However, even MSSPs are finding it hard to locate talent. Everyone wants a security analyst or engineer with over five years of experience, but what about the IT professional interested in moving into security? What about the helpdesk or network specialist who’s looking for a new challenge? And how do we motivate young people to consider cybersecurity as a field of opportunity?
“Many incident response professionals believe that junior team members don’t necessarily need a background in security”
Change is inevitable
I believe it’s time for the security industry to think about alternative sourcing, training paths, and awareness campaigns. I’ve had the pleasure of knowing many security operations centre (SOC) managers in different countries, working for different companies, and I’ve also worked with a range of incident response consultants and teams.
What I’ve observed is a new twist on an old Latin saying: ‘I will find a way, or make one.’ In security operations, I believe we can create a SOC analyst of any IT professional who has a desire to learn something new, and enjoys solving puzzles and communicating. As the field of security operations matures, we’ve all developed processes, procedures, and handbooks that we can use to guide new analysts along their path. In engineering, a person could start with a background in systems or networking and then work towards completing a combination of vendor and industry training courses and certifications. They could also be mentored and receive one-to-one training.
Many incident response professionals believe that junior team members don’t necessarily need a background in security, because there are roles for individuals with vastly differing levels of experience in any investigation. However, what’s mandatory they say, is an enthusiasm for the topic, and a desire to better understand security. Troubleshooting and root cause analysis concepts are also important skills, as is the ability to communicate effectively, both verbally and in writing.
Building the digital native, today
Where I feel we’ve failed future security practitioners, and an area in which we can do more, is sharing our global, vendor-independent ideas on education. We need to start building cyber awareness into our children’s school curricula and ensure they know how to stay safe online. We need to teach them how to tell a good website and email from a bad one, and how to practice safe surfing. We need to ensure they understand that being adept in computer programming doesn’t mean that you’re security-savvy.
We should profile cybersecurity professionals in the same way we do doctors and firefighters, and demonstrate how a career in the military or public service could potentially lead to one in cybersecurity. There are as many stories of how people got into security as there are professionals in the SOC. It’s up to us to show newcomers that this path is both rewarding and, ultimately, lucrative. The heart of it all is passion. If we could find more ways of communicating that passion and enthusiasm, I think we’d have more people interested in following this path.