Skills

The cybersecurity skills shortage has been discussed in many different ways over the recent years, but a successful hiring event held by the Department of Homeland Security has some wondering if that event was a sign of optimism or an outlier.

The Department of Homeland Security (DHS) held a two-day hiring event "aimed at filling mission-critical positions to protect our Nation's cyberspace" in July. According to a new blog post, that event garnered "over 14,000 applicants and over 2,000 walk-ins" and culminated with more than 800 candidate interviews and "close to 150 tentative job offers."

Angela Bailey, chief human capital officer for the DHS, said in a blog post that the DHS "set out to dispel certain myths regarding cybersecurity hiring," including the ideas that there is a cybersecurity skills shortage and that organizations cannot hire people "on the spot."

"While not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event," Bailey wrote. "We demonstrated that by having our hiring managers, HR specialists, and personnel security specialists together, we were able to make about 150 job offers within two days. Close to 430 job offers have been made in total, with an original goal of filling around 350 positions."

Gunter Ollmann, CSO for Vectra Networks, said although the event "was pitched under the banner of cybersecurity it is not clear what types of jobs were actually being filled," and some positions sounded more "like IT roles with an impact on cybersecurity, rather than cybersecurity specific or even experienced infosec roles."

"Everyone with a newly minted computer science degree is being encouraged to get in to cybersecurity, as the lack of candidates is driving up salaries," Ollmann told SearchSecurity. "Government jobs have always been popular with recent graduates that managed to scrape through their education, but would unlikely appear on the radar as interns for larger commercial organizations or research-led businesses."

Chris Sullivan, CISO and CTO for Core Security, agreed that the DHS event may not be indicative of the state of the cybersecurity skills shortage.

"It looks like DHS executed well and had a successful event but we shouldn't interpret that as a sign that cyber-defender resource problems are over. In fact, every CISO that I speak to has not seen any easing in the availability or cost of experienced resources," Sullivan said. "In addition, the medium to long term solution requires both formal and on the job training -- college curriculum is coming but much of it remains immature. We need resources to train the trainers."

Derek Manky, global security strategist at Fortinet, warned about putting too much into just a few hundred positions compared to the potentially hundreds of thousands of cybersecurity jobs left unfilled.

"The DHS numbers are relatively small compared with the overall number of unfilled positions," Manky said. "Part of the solution is to build better technology that requires less human capital to be effective and can evolve to meet shifts in the threat landscape. Additionally, the market needs to better define what skills a cybersecurity professional should hold and use these definitions to focus on efforts that can engage and develop a new generation of cybersecurity talent."

Rob Sadowski, director of marketing at RSA, the Security Division of EMC, said this event might be cause for optimism regarding the cybersecurity skills shortage.

"The experience that DHS shared is encouraging because it shows a groundswell of interest in cybersecurity careers. This interest and enthusiasm needs to continue across the public and private sector if we are to address the still significant gap in cybersecurity talent that is required in today's advanced threat world," Sadowski told SearchSecurity before hedging his bet. "The talent pool in an area such as DC, where many individuals have strong backgrounds in defense or intelligence, security clearances, and public sector agency experience contributes significantly towards building a pool of qualified cybersecurity candidates that may not be present in other parts of the country or the world."

Bailey attributed some of the success of the DHS event to proper planning and preparation.

"Before the event, we carefully evaluated the security clearance requirements for the open positions. We identified many positions that could be performed fully with a 'Secret' rather than a 'Top Secret' clearance to broaden our potential applicant pool," Bailey wrote. "We knew that all too often the security process is where we've lost excellent candidates. By beginning the paperwork at the hiring event, we eliminated one of the more daunting steps and helped the candidates become more invested in the process."

Bailey noted the most important advice in hiring was to not let bureaucracy get in the way.

"The most important lesson learned from our experience is the value of acting collaboratively, quickly, and decisively. My best advice is to just do it," Bailey wrote. "Don't spend your precious time deliberating over potential barriers or complications; stop asking Congress for yet another hiring authority or new personnel system, instead capitalize on the existing rules, regulations and hiring authorities available today."

Sadowski said rapid action is a cornerstone of an effective security program, but noted not all organizations may have that option.

"It's great that DHS has the luxury to act decisively in hiring, especially from what they saw as a large, qualified pool," Sadowski said. "However, many private sector organizations may not have this freedom, where qualified potential hires may require significant commitment, investment, and training so that they understand how security impacts that particular business, and how to best leverage the technology that is in place."

Next Steps

Learn more about how the cybersecurity skills shortage be fixed.

Find out how to live with the cybersecurity skills shortages.

Get info on why there is a delay in adopting new tech because of the skills shortage.


SearchSecurity: Security Wire Daily News

The shortage of trained cybersecurity professionals is a global challenge, and India is no stranger to the situation. An alarming 87 percent of respondents to ISACA’s “2015 Global Cybersecurity Status Report — India Data” admitted India is facing a severe cybersecurity skills gap, whereas only 41 percent felt prepared to fend off sophisticated cyberattacks.

The National Association of Software and Services Companies (NASSCOM) estimated that India will need 1 million cybersecurity professionals by 2020 to meet the demands of its rapidly growing economy. Demand for security professionals will increase in all sectors due to the unprecedented rise in the number of cyberattacks. Despite having the largest information technology talent pool in the world, India is highly unlikely to produce an adequate number of professionals to close the cybersecurity skills gap.

Skills Shortage Exposes Indian Businesses

The cybersecurity skills gap is ever widening due to the fluid nature of threats, innovative new cybercrime techniques, a lack of formal training and, most importantly, a lack of awareness about careers in cybersecurity. This scarcity exposes Indian businesses to cyberattacks and reduces their ability to quickly respond to complex threats. In the long run, the skills gap may discourage Indian companies from implementing new technologies or making new investments.

The shortage of cybersecurity professionals is also pushing up the cost of hiring experienced cybersecurity staff and forcing Indian businesses to increase their cybersecurity budgets. The “Global State of Information Security Survey 2016” from PwC reported a 117 percent increase in cyberattacks in India and a 71 percent increase in budget.

High Stakes for India

Because several global IT corporations operate in India, the cybersecurity skills gaps also impacts the global economy at large. The IT sector is one of the major employment generators in India, employing over 2.5 million people. A major breach could significantly jeopardize future growth within this critical IT sector.

NASSCOM launched cybersecurity training initiatives in collaboration with key IT companies. Along with the Data Security Council of India (DSCI), it launched a new Cyber Security Task Force (CSTF) to improve the supply of trained cybersecurity professionals. However, it will take some time before the CSTF starts making an impact on the ground. And it’s but a drop in the ocean given the escalating onslaught of cyberattacks that the Indian government and local businesses are facing.

Cognitive Security Bridges the Cybersecurity Skills Gap

While promoting cybersecurity education can help address the skills gap to some degree, it will not be enough to address rapidly multiplying cyberthreats. Luckily, Watson for Cybersecurity can help offset the skill shortage in India.

Watson for Cybersecurity is a first-of-its-kind, cloud-based cognitive technology. It’s trained to reason and learn from unstructured data — or 80 percent of all data on the internet that traditional security tools cannot process, including blogs, articles, videos, reports, alerts and other information.

“By leveraging Watson’s ability to bring context to staggering amounts of unstructured data, impossible for people alone to process, we will bring new insights, recommendations and knowledge to security professionals, bringing greater speed and precision to the most advanced cybersecurity analysts and providing novice analysts with on-the-job training,” said Marc van Zadelhoff, general manager of IBM Security.

Watson can empower cybersecurity professionals with superior capabilities and help them become more efficient. As Caleb Barlow, vice president of IBM Security, aptly told Fortune, “It’s not about replacing humans, but about making them superhumans.”

Discover how Cognitive Security can help bridge the Cybersecurity skill gap


Security Intelligence