Cyber Skills Shortage vs Cyber Understanding Shortage…

Published:

Cyber Skills Shortage vs Cyber Understanding Shortage…

Chris Dunning-Walton, Owner & MD at InfoSec People, comments on the worrying lack of understanding inherent with hiring Information Security professionals…

Is there a skills shortage…?

There is much in the media currently detailing the deepening worldwide Cyber skills shortage and I myself have commented in previous articles in IISP Pulse and SC Magazine on this particular phenomenon. However, more recently it does appear that what is in most short supply in the industry isn’t necessarily the talent, but an understanding of what talent looks like and what Cyber Security professionals actually do.

Hands-on vs Strategic vs Compliance…

Don’t get me wrong, in certain specialist areas talent is in short supply and very high demand, notably Vulnerability Research, Malware Analysis and Pen Testing at CHECK TL level, however here at InfoSec we regularly see confused job descriptions from equally confused HR and in-house recruitment teams looking for something which quite possible doesn’t exist in the Cyber talent pool. It would appear a lack of genuine understanding across the plethora of Cyber security roles at CIO, HR and Recruitment levels is stifling the ability for companies to hire quality experienced personnel or those with transferable skillsets.

If we take the role of a CISO, which has evolved greatly in the past 5 years as an example; true CISOs by and large are not technical, they are now strategic with an underlying technical understanding. However, we often see CISO and senior positions requiring deep technical knowledge. Companies wouldn’t expect a CIO to remediate a 3rd line support call, so why would you look for a CISO with hands-on knowledge of configuring firewalls? You wouldn’t (or shouldn’t).

Similarly, we also regularly see catch all descriptions for Security Consultants who are experts in cloud security, network security, compliance, standards and threat detection with great communication skills and a bewildering array of mandatory certifications (CISSP, CISM, CRISC, CISA, CISMP, ISO27001LA, QSA…!), which again shows a fundamental misunderstanding of what the company expects this individual to do and who could actually do it.

Transferable talent…

Hiring companies also regularly miss out on opportunities to either internally promote or externally hire talented people with transferable skills from IT or wider industry who, with some investment, could be a great addition. Unix Sys Admins with a certain mind set can be excellent SOC Analysts and a Web Developer with an inquisitive nature could be a fantastic Application Pen Tester.

With Cyber training and awareness (let’s face it, people are  usually the weak link) gathering serious pace, actually the best candidates to engage employees and drive cultural change will not probably be very technical at all but will be able to make people understand why it is in their interest and profit to adopt best practice approaches to security. Psychology graduates, Business Analysts and capable Project Managers are all well set for these kinds of positions, given some further investment. A robust approach to identifying internal skills gaps and how to possibly address these, either through external hires or investing internally on training existing staff, could help address this.

Knowledgeable Cyber Security Recruiters doing well…

One of the reasons I am certain there exists a general lack of understanding rather than a gaping lack of talent in the industry is the fact that both here at InfoSec People and also with our specialist competitors whom we catch up with (yes, that does happen!), generally we find suitable people for historically hard to find roles within 2-6 weeks, especially once advice on what the company is actually looking for and should be willing to pay are taken on board.

InfoSec currently have no qualified positions which have been open longer than a month, other than in VR, Pen Testing, etc. as per above, and we often quickly fill positions which have historically been problematic for generalist recruiters or in-house HR and talent teams. If there was a genuine skills shortage our turn-around times would be much higher and I wouldn’t know so many good people in the industry who are actively available for new opportunities and are generally frustrated at all the above.

Risk averse hiring strategies…

In summary, while hiring managers and teams have a limited understanding both of what Cyber Security professionals do and look like CV-wise, as well as what kind of talent could do the role given a chance, we will continue to see risk averse hiring strategies with “catch-all” job descriptions and very high barriers to entry for what are in reality, highly fillable requirements. Unless you are a Cyber Security Vulnerability Research guru, in which case you’re no doubt doing very well indeed!!

Back to listing