How Infosec Teams Can Overcome the Skills GapCybersecurity Experts Share Their Insights and Tips

2How Infosec Teams Can Overcome the Skills Gap

Introduction

The skills gap is weighing heavily on the minds of digital security team members. In a survey of 342 security professionals, Tripwire found that 83 percent of infosec personnel felt more overworked in 2020 than they did a year earlier. An even greater percentage (85 percent) stated that it had become more difficult for their organizations to hire skilled security professionals since then. Organizations can’t rest easy once they’ve brought on new talent, however. They need to make sure they hold onto their existing workforce.

We at Tripwire asked security experts to identify how the infosec skills gap impacts teams, how to bolster their current teams, as well as barriers to entry and how to overcome them. Here’s what they had to say.

3How Infosec Teams Can Overcome the Skills Gap

How the Skills Gap Impacts Infosec Teams

I believe the skills gap is a twofold issue. Firstly, the amount of available people with an interest in our industry is growing. They’re enthusiastic and passionate about our career; however, that is not good enough to pass the current HR processes, and as a result, candidates become despondent and take up other IT roles instead.

Secondly, the myriad of technologies is such that training may only be relevant from one technology stack, and when a talented individual applies for other roles, they may find that the hiring company doesn’t recognize the transferable skills that they can’t put in a box. They don’t hire the candidate, so companies need to go back to basics.

Number 1: Don’t look for the unicorns or the 1 in 1000 people. Companies are currently discounting 999 other talented individuals who could grow into that company.

Number 2: Don’t advertise hyper-specific requirements and job roles. Understand that the ideal candidate may not apply if they cannot tick all the boxes.

Number 3: Instead of a keyword search, the HR team allows them to do basic filters but then be guided by the managers that will be looking after these people. Look for transferable skills.

Number 4: Instead of a full interview that can put off neuro-diverse candidates, consider putting in scenario- and/or competency-based tests that will then allow a candidate to demonstrate their passion and ability. Doing these will identify passionate talent who can actually do the job despite not necessarily ticking all the hyper-specific boxes on the job advert.

» Stuart Coulson Director, HiddenText Ltd @SPCoulson

4How Infosec Teams Can Overcome the Skills Gap

My experience, and what I hear from other CISOs, is the skills shortage is for seasoned cybersecurity professionals with advanced experience. The experience can either be advanced knowledge in a narrow area such as highly skilled red teaming experience or security architecture, or it can be of decent depth across broader areas of cyber-security skills. The benefit of having a seasoned professional is that they are familiar with the challenges and complexities of merging business and cybersecurity. They have a rounded perspective of what can go wrong, and they know the impact if a “minor” change causes a cascading, catastrophic failure that causes financial impact to the business.

In reality, and if we are generous with the timeline, cybersecurity as a major part of your role has only existed for the last 20 years. As a pervasive force that every online business must incorporate into its IT team, it’s really been around for only the last 10. So we are fighting for that same pool of experienced security professionals.

Most colleges recognize the opportunity and are building out their cybersecurity pro-grams, but as good as many of them are, you can’t substitute education for experience. I work with our local college, and I have found there is a disconnect in the type of indi-vidual I need and the skills of the students who are graduating from their cybersecurity program. I think they are finding this in other organizations as well since the school administrators have discussed the challenges they have had placing students from their program. They lack good communication skills, proper understanding of security architecture, awareness of risk as a discipline, project management knowledge, and critical thinking skills.

I have been a guest speaker at the college and at other events, and every young bright-eyed person who seeks me out to discuss their career is excited about red teaming. My guidance is to focus on other cybersecurity roles. There are many pen testers, and honestly, I have people with red teaming skills, but the need for them is limited. Red teamers are my sanity to check to confirm everyone else did their job well. I need

» Sandy Dunn CISO, Blue Cross of Idaho @LinkedIn

“College kids believe the only role

available in cybersecurity is red team-

ing—it’s the role in the news and in

the movies. I think the solution is for

cybersecurity pros to [get involved]

in the college curriculum and partner

with educators to influence the skills

required in a cybersecurity program.”

5How Infosec Teams Can Overcome the Skills Gap

builders, defenders, risk people, architects, and people who understand IT security audits.

It’s not a surprise that college kids believe the only role available in cybersecurity is red teaming. It’s the role in the news and in the movies. I think the solution is for cyber-security professionals, people like myself who are part of the hiring and managing cybersecurity teams, to embed ourselves in the college curriculum and partner with college educators to influence the skills required in a cybersecurity program.

The other solution that I have used is identifying people with good business acumen and then building out their cybersecurity knowledge. Balancing cybersecurity and having a successful relationship between cybersecurity and the business is so critical that it’s almost easier to educate them on cybersecurity then to educate cybersecurity people how to think from the business perspective.

6How Infosec Teams Can Overcome the Skills Gap

So, there’s a lot of discussion in the cybersecurity community about this skills gap and the trouble that corporations are having in hiring skilled cybersecurity individuals. As we look at that problem, I think one of the key issues we’re seeing, and I hear is that our job descriptions are wildly unrealistic. (I see this all the time from my colleagues, and I’ve seen it in research I’ve done.)

If you look at job descriptions that are out there today, you’ll see things where entry-level positions are asking for a CISSP certification. Anybody who knows anything about knows that you need to have five years of experience to get certified. Other times, I’ve seen other things that just asked for either wild amounts of technology experience that no single one person could ever possibly obtain or simply impossible things like 12 years of AWS experience. Well, unless you’re Jeff Bezos, you probably don’t have that level of experience, so you know, I think that’s one of the big barriers we have right now in the industry. We’re struggling with just getting job descriptions out there that are sensible and that attract the right people.

The problem with this is that the longer these positions stay open, the more stress it places on the rest of our security teams. We see this as turnover, which is almost astronomical in the cybersecurity community. The average time on the job was two and a half years in the last study I saw. It’s not because salaries aren’t high enough. It’s because people are getting burned out in their jobs, and they’re leaving to go to non-cy-bersecurity jobs where they feel they have a better balance.

So, the question is as follows: how do we continue to secure our systems when our teams are in these positions? The fact is we have to start looking internally. We have to start looking at which folks within our organization have a desire to expand their skills into security. We should start looking at how to develop those people, how to enable them, how to provide training and how to provide them with opportunities that show what they can do in security.

It’s a long road, and we’ve got a lot of work to do.

» Alyssa Miller Hacker & AppSec Advocate @AlyssaM_InfoSec

7How Infosec Teams Can Overcome the Skills Gap

The infosec skills gap impacts security teams today by putting additional stress and reliance on specific personnel who have attained the necessary skill sets to perform at peak. In many cases, that’s only one or two individuals. This can create a potential single point of failure, putting stress on hiring managers to fill that gap.

One solution to the infosec skills gap problem is to reach out to market vendors for readily available SaaS solutions. Other options include onsite or remote contract staff as well as customized support options with SLAs that can assist with daily cybersecu-rity support operations and maintenance. After all, sleeping peacefully at night leads to less stress and better health.

» David Henderson Sr. Systems Engineer, Tripwire, Inc. @LinkedIn

8How Infosec Teams Can Overcome the Skills Gap

The primary blockages I see to recruitment and (more seriously) medium-term reten-tion are lack of capacity to train in post, excessive expectations of discretionary hours, lack of flexibility in terms of both hours and remote working and poor role definition. There are too many ads looking for a wish list of responsibilities, specific technologies, years of experience, and qualifications.

The former two are indicative of the way security is viewed and valued in the organiza-tion. Often, training going down and discretionary hours going up is a quick and brutal effect of more general cost-cutting. Flexibility and remote working are about the nature of roles but also whether firms trust staff and put effort in to technically enable it. If they don’t, they need to start because my anecdotal feedback is that it’s a big draw…and a big red flag if ruled out on invalid grounds.

Issues with role definition are a knottier problem. The industry as a whole is bad at analyzing what is required to do specific parts of the security job well and the kind of experience, education and capabilities needed to match that. That’s often the case because of interaction between multiple issues. When individuals or teams are working at over 100 percent capacity keeping more balls in the air than is reasonable, job anal-ysis is less than an afterthought. Even if done, if things are really broken, it can rock the boat in ways the firm won’t like. There are pockets of better practice (like the place where I work now) but only where senior sponsorship produces budget, time, and sup-port for both analysis and outcomes, including a search for specialist recruiters who don’t bleed out value by devolving search back down to an overenthusiastic checklist.

» Sarah Clarke Data Protection & Privacy, BH Consulting @TrialByTruth

Barriers to Entry for InfoSec Applicants

9How Infosec Teams Can Overcome the Skills Gap

There’s a big issue of diversity and inclusion today. When women are looking at jobs, they will apply only to jobs if they fit a hundred percent of the criteria. It’s a little bit different for men, who go for a job even if they meet 60 percent of the criteria. In return, women end up applying to 20 percent fewer jobs.

Even when underrepresented persons apply and are fully qualified for that position, they don’t get it today. The reason for that is that we have prejudices and biases that are still very much existent in InfoSec because they remain unchecked. We’re not doing enough to change the situation, and in reality, what’s going to keep on happening is this rotating door because we’re not doing enough to promote inclusion. In order to change that. In order to change that situation, please reach out to organizations that work with underrepresented persons and that do whatever it takes to change the situation and make the field more welcoming for all people.

» Chloé Messdaghi Vice President of Strategy, Point3 Security, Inc. @ChloeMessdaghi

10How Infosec Teams Can Overcome the Skills Gap

As society is learning, the biggest barrier to entry and hiring into cybersecurity is that skillsets are constantly changing with every new vulnerability and maturity level. After years of struggling and seemingly always behind, corporations are taking this gap into consideration and rethinking their strategies for conducting business. One way they are mitigating this is by moving to the cloud and adopting managed services. They are dis-covering that by allowing the experts in managed services to conduct their day-to-day business, it allows them to be more agile with training their employees and focusing their efforts on addressing the critical vulnerabilities they encounter.

» Gina Parshall Resource Operations Manager of Professional Services, Tripwire, Inc.

» Matt Pascucci Sr. Cybersecurity Manager, CCSI @MatthewPascucci

The largest barrier of entry for employees is having experience in multiple facets of security. We’ve seen many students come out of school with degrees in cyber but who don’t have experience in the technology they’re defending. I personally look for some-one who has the desire and experience in the relevant technology before assuming that they’re experts in security. Right now, that’s the largest barrier of entry in the field. We recommended that a firm baseline of knowledge in the underlying technology be pres-ent in an applicant.

11How Infosec Teams Can Overcome the Skills Gap

When I started within the technology industry over 10 years ago, I actually transitioned internally from a personal tax assistant/administrative role to IT Manager role. I didn’t have a massive challenge doing this, as all the experience I had with the company previously was beneficial in the new role, and there was a pre-existing relationship between myself and my managers. I was primarily self-taught through hands-on expe-rience, YouTube instructional videos, and reading.

After a few years, I decided to get a formal education at college. Unfortunately, in leaving college, I discovered there were a few challenges with being from a different background than the expected applicant. However, I was able to bypass this issue by starting my own company. Following this, I moved to the United Kingdom and then to Ireland.

Now, after more than 10 years of experience with owning a company and working in three different countries, I still struggle with job hunting, especially for senior roles and highly technical positions. Even today, I still receive comments on how I don’t look like what they expect or don’t appear old enough, etc. However, I have learned that applying to companies with persons I know vs. applying from online listings is more effective.

Based on my own experience and the experiences of those whom I have mentored and/or reviewed, I can say the following:

Many companies are looking for a specific person. In doing so, the interviewer might lack knowledge of what the organization actually needs in terms of cybersecurity.

Unfortunately, there is little-to-no training provided for interviewers. I have had great first interviews but then second interviews where the person was only interested in hiring someone skilled like themselves (Stop hiring in your own image.) and talking about how great a technology I’d never used was. This technology was not a require-ment for the role directly, mind you, and they ignored my responses to similar but not

» Zoë Rose Cybersecurity Specialist & Ethical Hacker @RoseSecOps

12How Infosec Teams Can Overcome the Skills Gap

I think one of the biggest barriers to entry and hiring for security positions is that there are not enough entry-level positions. In a sales career, typically college grads start out in sales development roles. These are entry-level roles designed to teach the founda-tions of the sales process and help them gain interest in prospects for the sales team to work with. Most companies are so far behind on security investments that they want to hire the best and brightest, which is a given. But those employees get burned out quickly, leaving the company struggling for talent instead of building their own pipeline.

» Nick Santora CEO, Curricula @LinkedIn

directly related work. Interviewers are rarely required to attend formal unconscious bias training.

Applicants with limited experience often struggle with putting their theoretical knowl-edge into context for the interview.

The lack of clarity on how to effectively interview under-skilled interviewers/manage-ment, not to mention confusion on what a good security/technology person looks like, create an industry where only the cookie-cutter image passes inspection. This leads to massive gaps of capability, knowledge, and points of view in our industry, ultimately making the industry skills gap appear to be on the applicant’s side where it’s often actually in the organization’s hiring and managing process.

13How Infosec Teams Can Overcome the Skills Gap

The word ‘skill’ relates to both the talent and the tools that are needed to achieve a desired outcome. When we speak of the cybersecurity industry’s “skills gap,” therefore, we imply these things aren’t abundant enough to overcome the threats that broadly affect organizations.

But I think it’s more complicated than that.

Given the sheer volume of ethical hackers and well-intentioned people wanting to make a difference, I do believe there’s more talent available than acknowledged, especially for entry-level positions. By broadening requirements, companies can gain access to these pools of qualified (& eager!) resources. That said, there is a very real element to the skills gap, and we as an industry need to do more to encourage individuals to come forward to fill it. We can do this by better standardizing cybersecurity positions and career paths and also by partnering with local universities to continually expand curric-ulum and share knowledge.

» Kristen Poulos VP and General Manager of Industrial Cybersecurity, Tripwire @LinkedIn

How to Succeed Despite the Skills Gap

“Given the sheer volume of ethical

hackers and well-intentioned people

wanting to make a difference, I do

believe there’s more talent available

than acknowledged, especially for

entry-level positions. By broadening

requirements, companies can gain

access to these pools of qualified (and

eager!) resources.”

14How Infosec Teams Can Overcome the Skills Gap

» David Lu Security Researcher, Tripwire @LinkedIn

As a CS instructor, I help a lot of students navigate their first job search. One frustrat-ing challenge is that employers who are willing and looking to hire and mentor new graduates have requirements in entry-level job postings that don’t match the experi-ence that new grads typically have. If your entry-level job posting calls for “2-4 years of experience with Python” or “1-3 years of experience in a technical security role,” you’ll miss out on many bright, sincere candidates brimming with potential because they won’t apply to that ad. Remove any such hard requirements from job postings. The skills gap exists in part because we inadvertently discourage newcomers in many ways, and this is one of those ways.

On a more substantive level, CS educators are overloaded. The enrollment rate for CS bachelor’s programs in the United States has more than tripled since 2006, and the slope is increasing. This has created significant pressures on faculty workload, classroom and lab space as well as nonmajor access. As colleges and universities scramble to create and develop cybersecurity programs to meet demand, it may be worth remembering that college programs aim to produce well-rounded individu-als with some foundational knowledge and strong learning skills. Most of them will not have job-ready skills. So, if you have the capability and capacity to mentor and let junior employees grow, it may be worth exploring candidates with non-traditional backgrounds.

15How Infosec Teams Can Overcome the Skills Gap

» Angus Macrae CISSP @AMACSIA

There is no substitute for experience, and despite the well-publicized shortage in people required to fill an ever-rising demand, that is often the hardest thing for some-one trying to break into cybersecurity to attain. Hiring gatekeepers should therefore try and look beyond the obvious buzzwords such as particular job titles, certifications, or formal education paths in their search criteria. Providing they are credible, those are all good things, but they are not the ‘be-all and end-all.’ Whilst certain specialist roles such as pentesting or forensics will require some non-negotiable hard skills, there is much to be said for people with a broader, varied technical knowledge, good problem-solving skills, and a naturally questioning and inquisitive nature. First and foremost, security is a mindset and that isn’t something you can always reliably gauge from a CV or LinkedIn profile.

Some level of technical grounding remains vital, however. I’m increasingly coming across people who claim to work in cybersecurity but ‘aren’t that technical,’ which is a bit like saying you’re a motor mechanic but you’re not that sure what’s under the bonnet. Whilst CISOs and senior-level managers should, of course, be operating at the business and board level rather than down in the technical weeds on a day-to-day basis, they will still need a reasonable level of contemporary technical understanding to make the right choices.

Small, stretched in-house teams should look to the use of smart technology and auto-mation where they can. Whilst there are a lot of unknowns and variables with cyber detection and defense that will always require a degree of professional judgment, there are also plenty of ‘known knowns’ which can be automatically defended against. In-house teams should also look to establish arrangements with trusted external part-ners upon whom they can offload specialist activities and whose skills they can use as required rather than trying to retain them in-house.

16How Infosec Teams Can Overcome the Skills Gap

» Irfahn Khimji Country Manager, Canada, Tripwire @TheRealKhimji

A lot of organizations are looking for folks who have multiple years of experience in technologies that have not been around for very long. The information security environ-ment is evolving faster than most organizations can keep up with. I think the biggest thing a company can do is look to hire folks with transferable skills such as a passion for security, a curiosity to tinker with how things work, and outside-of-the-box thinking.

This type of drive is hard to teach, so organizations should hire this type of talent when they find it and then teach the security skills. In order to do that, however, it requires that organizations invest heavily in keeping their teams trained up. This obviously takes away from office time, but it is essential to keeping teams up-to-date with the latest threats and trends.

“I think the biggest thing a company

can do is look to hire folks with trans-

ferable skills, such as a passion for

security; a curiosity to tinker with how

things work; and outside-of-the box

thinking. This type of drive is hard to

teach, so organizations should hire

this type of talent and then teach the

security skills.”

17How Infosec Teams Can Overcome the Skills Gap

Every available data source on this topic, whether it be surveys of cybersecurity profes-sionals or a quantification of open job positions, confirms what we already know. And that is that there is a tremendous gap between supply and demand for cybersecurity professionals, particularly in a need for technical cybersecurity talent.

There are a number of different initiatives underway globally to address the supply part of the problem, namely in the form of more robust formal educational opportunities, professional training and certifications as well as even competitions to identify and refine talent. However, any reasonable projection in the near future still suggests that the gap is not going to close anytime soon

In the meantime, organizations can do a number of things to try to address the skills gap. Obviously, there are opportunities for increased investment in security automation as well as opportunities to outsource and consume services through externally pro-vided managed services.

One of the most important aspects of cybersecurity that touches on this problem, how-ever, is that cybersecurity is inherently an interdisciplinary, cross-functional challenge. If we begin to view cybersecurity as directly related to the central nervous system of an organization, the critical infrastructure that ties together all the parts of the organiza-tion that both receives sensory input as well as provides guidance back out to its many parts and communicates with the outside world and to its many partners and suppliers, we can then realize in fact that this touches on much more than just the IT department with some help from the HR department. When we realize the cross-functional and interdisciplinary nature of the problem, we can begin to engage all parts of the organi-zation with leaders from legal and finance to IT and operations to sales and marketing.

Every part of the business manages sensitive data and information and has an influ-ence in the type of systems and tools that are used to perform many functions. If we can keep that in mind, then we begin to engage other people in the problem, whether

» Maurice Uenuma Vice President, Federal & Enterprise, Tripwire @LinkedIn

18How Infosec Teams Can Overcome the Skills Gap

they be legal and finance professionals who are tied to compliance and auto require-ments or sales and marketing professionals who handle sensitive partners’ and customers’ sensitive information.

In recognizing all of this, we can begin to address not just the supply part of the problem but also actually the demand side of it, meaning the organizations that need cybersecurity in the first place can begin to leverage a broader set of resources amongst a broader number of people who are already working there to begin to secure the data in the systems upon which the organization relies and which are so critical to achieving a higher state of cybersecurity.

19How Infosec Teams Can Overcome the Skills Gap

It’s challenging. I accept that there will always be four times more work than I have resources. My mantra is to prioritize. Make sure we are working on the highest risk, the most likely security issues, and communicate the residual risk.

The other solutions are extending the responsibility for protecting the business into all parts of the business. I “deputize” people onto the cybersecurity team, and I recognize that people bring cybersecurity issues and solutions. I even have silver deputy badges that I found on Amazon that I hand out with a certificate of recognition. I love walking by people’s cubes and seeing them pinned on the wall!

There is also an opportunity to leverage low tech solutions like easy-to-find and easy-to-follow security cheat sheets, so people whose core competency is customer service, legal, or administration can know how to do things securely without being frustrated or inadvertently causing a security incident.

» Sandy Dunn CISO, Blue Cross of Idaho @LinkedIn

Address Your Skills Gap Issues with Industry-leading Security— No Matter the Size of Your Team Tripwire® ExpertOpsSM extends your staff with a dedicated engineer who’s always in sync with your team. You’ll see rapid time to value with consolidated services that quickly align your systems with multiple compliance standards.

Learn More

Tripwire is the trusted leader for establishing a strong cybersecurity foundation. We protect the world’s leading organizations against the most damaging cyberattacks, keeping pace with rapidly changing tech complexities to defend against ever-evolving threats for more than 20 years. On-site and in the cloud, our diverse portfolio of solutions find, monitor and mitigate risks to organizations’ digital infrastructure—all without disrupting day-to-day operations or productivity. Think of us as the invisible line that keeps systems safe. Learn more at tripwire.com

The State of Security: News, trends and insights at tripwire.com/blog Connect with us on LinkedIn, Twitter and Facebook

©2020 Tripwire, Inc. Tripwire, Log Center/LogCenter, IP360, Tripwire Axon and others are trademarks or registered trademarks of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. BROSG1a 2007