As a reader of this blog, you’ll know that security issues are a daily reality. If you’re a security practitioner, you may wish you could clone yourself to help deal with the never-ending workload. Each day seems to bring a new report focusing on the shortage of qualified information security professionals to fill positions. Is there anything we can do to change this seriously unbalanced equation and plug the infosec talent gap?
Are we missing opportunities?
ISACA recently released a Current Trends in Workforce Development report that sheds light on the problems companies are having staffing open positions. More than a quarter of enterprises find they are unable to hire the people they need, and those that are able to fill positions report that it takes more than six months to find the right applicant for the job. Almost half of those surveyed said they got fewer than ten applicants for each job listing and 64 % of respondents said that fewer than half of those who applied were qualified for the position.
Ominous as this sounds, there are key points in this report that tell me that as an industry, we are missing a lot of hiring opportunities. Many of the people who are successful in this business have neither formal computer science-specific education nor professional certifications in security. While in other industries, a specific degree may be crucial, many highly qualified security practitioners have learned on the job rather than in a college or classroom. Hiring practices that work for most industries may in fact exclude experts from applying for open positions in this industry.
Even if we remove that point of friction in the hiring process, there are other opportunities we are missing. Many current security practitioners started their careers in other industries entirely. I started out my career not as a computer expert but as a florist. Because the florist industry is naturally slow during summer, one year I took a job as a receptionist at a security company. The head of the malware research labs recognized that I had skills that could be useful in his department and I had an eagerness to learn, so he gave me a chance to try my hand at some piecework. When this went well, I was brought into the labs fulltime.
On paper, I appeared to be wholly unqualified for any of the positions I eventually held. But I was able to use my existing skillset combined with informal training to excel in security. I am not unique in this – in fact, the person who we hired to fill the first position I held in the labs when I was promoted, also had no computer science degree or certifications. He was only a few weeks into his first programming class; he clearly had interest in learning about computers and he also had excellent communications skills, which is a much harder thing to teach.
The biggest untapped resource
As of 2015, women held only one in 10 computer security positions. As women make up more than half the population, and almost half of the current workforce, this means that our industry could be failing to reach skilled professionals who may not even be aware of the possibility of a career in computer security. While they may not yet have in-depth technical knowledge, many have expertise on other areas for which it is much more difficult or time-consuming to train such as law degrees, project management experience, creative problem-solving abilities or exceptional communication skills.
Moving towards the future
Clearly the most desirable way to counteract the skills shortfall is to increase both the quantity and quality of applicants. And this is where we need everyone’s help. We need to get kids exposed to the possibility of cybersecurity careers, we must identify people who could use mentorship and training to excel in this industry, and it is crucial to include a wider variety of people in our recruitment practices. Here are a few ways that you can help:
There are a lot of national groups such as TEALS, Girls Who Code, Women’s Society of Cyberjutsu, and CoderDojo as well as local STEM events, hackathons and bootcamps that are in need of expert support. Each year many of ESET’s own researchers join a team of mentors who help teach kids during Securing Our eCity’s yearly Cyber Boot Camp in the San Diego area – this is a fun event that can always use more help from the community.
The cost of formal education is growing at a rapid pace, which may keep interested people from trying to get the necessary skills to join this industry. There are a lot of scholarships out there that have been set up to encourage people to pursue an education in security. Several sites, such as (ISC)², CyberWatchWest and WiCYS maintain lists of resources for students seeking scholarships and internships. This year, the amount of ESET’s Women in Cybersecurity scholarship has been doubled and it has been opened up to students nationwide. Applications for this are being accepted for another week, until March 15th.
Reaching underrepresented groups
There are a growing number of groups that are focused on the inclusion of a wider variety of people in cybersecurity and technology careers. National groups like Code2040 and Black Girls Code are helping to cultivate the next generation of developers. You may also be able to find local groups in your area, especially through sites like MeetUp.
By making significant changes now, we can avoid the anticipated shortfall of 1.8 million professionals in 2022 and help stem the tide of malware and security woes.