In our digital world, almost every field of work has increasingly concentrated on the use of technology to drive speed and efficiency. In most cases the goal has been to augment the capabilities of human workers, but some industries such as automotive have also seen job roles replaced entirely by technology.
When it comes to cyber security, technology has long moved at blinding speeds on both the offensive and defensive sides. There have been some incredible advances in security technology, particularly around machine learning, a subset of artificial intelligence. Tools powered by machine learning are, for example, able to analyse huge amounts of system data and identify patterns that could signify malicious activity by a cyber criminal. This means that investigative work that would previously have taken a team several hours can be automated and completed in a matter of minutes.
That said, no matter how advanced the technology becomes, security will always be human-centric. Even the best cyber solutions are still tools that require the hand of an experienced human practitioner to work correctly. The human touch is needed to properly comprehend, interpret and act upon the information that security tools provide.
However, finding the right person for the job is easier said than done, especially as the industry weathers a continuing skills drought that has made recruiting and retaining experienced personnel increasingly challenging.
Who are the right people for the job?
Cyber security is a demanding field that requires practitioners to have a deep technical understanding across a wide variety of IT systems and potential threats. Alongside this, personality type is commonly regarded as being of equal importance to technical acumen and experience. Individuals need to have a mindset that pushes them to keep their skills sharp and relevant. The ideal practitioner will be someone who spent their childhood taking things apart to find how they work, and never lost that thirst for understanding and knowledge. The best cyber security professionals are the ones who are constantly searching for new challenges to master.
Many different security roles also require strong soft skills, particularly communication. While certain frontline analyst roles will allow practitioners to be fully engrossed in complex technical work, other areas will require the ability to translate dense technical issues into language that can be easily understood by non-technical business decision makers.
This means that cyber professionals will often benefit from previous experience in a different sector as this will help them understand security issues from a business perspective. Working within traditional IT roles is particularly useful as it provides a greater perspective on the technical challenges the average business faces.
Finding the ideal candidates
On paper, recruiting a fully qualified and experienced practitioner is the most straight-forward way for an enterprise to bolster its security team. In practice however, the skills gap means that it can take several months to fill a position, often for an inflated salary in order to win out against competing offers.
With this in mind, it is a good idea to invest in training up existing employees in cyber skills alongside efforts to hire externally. Depending on the size and requirements of the organisation, this could mean that an employee takes on cyber duties alongside their existing role or transitions entirely into a full-time practitioner.
Ideal candidates are those that are already developing an understanding of how attacks work. Anyone transitioning into cyber security will need to be armed with a solid understanding of networking, applications and common corporate environments such as Windows Active Directory. They also need to be able to highlight common issues in all these areas.
While there is a baseline of knowledge and skills across all cyber roles, practitioners usually have a particular specialism based on previous experience. For example, developers have in-depth experience of application security and code audit, so a former developer moving into security would be an ideal fit for application security.
Getting cyber training and education right
One of the reasons for the ongoing global shortage is the time involved in training a security practitioner. The road to becoming an experienced, senior professional usually means learning from the ground up – there are no real shortcuts or substitutes for real experience.
In fact, research by (ISC)2 found that most organisations value relevant cyber security work experience and knowledge of advanced concepts more highly than industry certifications when hiring candidates.
However, certifications can still be a very valuable asset when recruiting a practitioner. They can help maintain a baseline of expectation and provide practitioners with attainment steps, as well as providing a level of assurance for employers. Organisations such as CREST serve to ratify individual abilities whilst providing a pathway of progression.
By investing in passionate and talented individuals with aspirations towards cyber security and providing them with the opportunity to gather real world experience, enterprises can help to close the cyber skills gap.
Matt Lorentzen, Principle Security Consultant at Trustwave