The cybersecurity talent shortage is a prominent issue for enterprises looking to bring on specialized engineers. This begs the question: How can we optimize skill development and thwart hackers before they have the chance to attack? Cybersecurity expertise requires a diverse set of skills that should be acquired in equally diverse ways. Some of the techniques can be taught in a structured, classroom-type environment, while other skills can only be gained by learning on the job. What’s more, we must learn how to think several years ahead of the current threat landscape in order to proactively mitigate threats.
From Truck Driver to Cybersecurity Analyst
According to a recent report from Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA), Through the Eyes of Cybersecurity Professionals, the biggest skill gaps are in the areas of security analysis and investigation, application security, cloud security and security engineering and penetration testing.
The best way for aspiring cybersecurity professionals to acquire such “hard” skills is by attending technical training institutes and trade schools. I know someone who was a truck driver for 18 years and became a very successful cybersecurity analyst by going to trade school and then rising through the ranks. While on the road, he would help other truckers fix their computer problems and realized that he had an aptitude for computers. He took night classes for a year, focused on security, and made a successful transition to one of the leading non-profit hospitals in the US.
Cybersecurity is more of an applied science, whereas algebra, calculus, physics and chemistry, for example, are more foundational. In that regard, cybersecurity lends itself better to a practitioner’s degree rather than as a subject taught in grade school.
Of course, there’s no substitute for old-fashioned, hands-on experience. Ultimately, these skills are best learned on the job.
Know Thyself, Know Thy Enemy
Now, that’s not to say a traditional, four-year university education isn’t valuable for cybersecurity – in fact, quite the opposite. This kind of education is best suited for teaching students the psychology of hackers. The ability to think like a hacker and understand their mentality, incentives and goals is crucial for deriving ways to not just respond to them, but to beat them at their own game.
Specifically, the concept of social engineering and hackers’ motivations – fame, fortune, etc., which are common to other types of criminals, as well – should be considered as an extension of other courses focused on understanding the criminal mind. In addition, hackers are beginning to use advanced techniques like big data to hone in and compromise their targets. Universities have great programs around big data analysis and security experts would benefit from such knowledge.
When you consider that the institution of education as we know it was developed during the Industrial Revolution, it makes sense that we teach students how to build things versus how to break them. But in order to build cybersecurity products that can’t be compromised, we need to know how to spot weaknesses.
Leverage Intelligence and Knowledge to Stay Ahead of the Curve
In order to narrow the skills gap, organizations need to be careful about not just the type of skills to look for, but also when to look for them. Academic institutions need to be teaching the skills that we will need in 5-10 years, not just those necessary today. This poses a tough challenge, of course, as it requires us to look for skills we don’t even know we need yet.
Taking into account the technology trends on the rise today, the most pressing skills that we will need in the future include:
1) Big Data Intelligence
The rise of the cloud and IoT have caused internal enterprise network perimeters to become less rigid and more porous. As a result, security will be driven by more dynamic policies, which are often derived from the behavior of users and machines.
The number of connected devices is expected to rise exponentially, which means that developing policies to match the interactions between users and systems will become increasingly difficult. Machine learning will help to build user profiles, and security policies will be based on individual users’ behavior rather than their static identity.
As these millions of combinations and interactions develop over time, they will provide a good baseline of how users and systems interact. Finding malicious insiders and security breaches will then become a challenge of developing the most effective algorithms to identify these breaches. Attackers are getting better at hiding their tracks, and these systems need the fidelity to identify threats while not being too noisy.
2) Contextual Knowledge of the Business
The current shortage of security professionals has forced enterprises to outsource security monitoring to third parties that don’t understand their specific businesses or processes. Quite often, they generate tickets that need to be reviewed by internal teams that are already spread too thin. In order to automate this first level of triage, developers and engineers will need to build solutions that can integrate security knowledge, business processes and abstracted business-specific constraints.
For example, hospital IT teams need to know about any improper access to patient data, and then take drastic action to revoke it, as soon as it happens, automatically. On the other hand, for a utility provider, user data sets may not be as critical and it may choose to use different response mechanisms. There are many such instances that need to be codified, preferably through smart learning, to help business address security threats effectively.
Closing the industry skills gap will require a multi-pronged approach that develops both hard and soft skills in the workforce, all the while keeping in mind what we will need in the future.
About Ajit Sancheti
Ajit Sancheti is an entrepreneur focused on solving challenges in enterprise software and security. He is currently the co-founder and CEO of Preempt, a cybersecurity startup with a patent pending solution for detecting and responding to security breaches and malicious insider threats.