The cybersecurity skills gap is one of the most pervasive bugbears in the information security community.
A lack of high-level cybersecurity specialists is often viewed as a threat to profits, national security, and market stability. To some extent, we agree – there is a problem with cybersecurity hiring and staffing. Most of the time, however, this problem is formulated only in terms of a lack of skilled applicants. Here is where the skills gap doesn’t pass the gut check, based on the cumulative century of security experience that F5 Labs brings to bear.
The cybersecurity skills gap is not merely a problem with supply, but also with demand. The security industry is partly responsible for creating this problem through a combination of self-interest, extraordinarily vague needs, and unrealistic expectations. Furthermore, in our experience, the myopia in cybersecurity hiring is not just hard on candidates. It is a big part of why cybersecurity itself is becoming simultaneously harder and less well defined.
We have our own opinions on the most important skills and perspectives in cybersecurity, but first we want to try to pin down the staffing problem.
How much cybersecurity expertise can I get for $20K?
Some of the problems around security hiring mirror broader staffing issues: everyone wants a finished product, but nobody wants to pay the market rate. We often hear an argument like “I don’t have time to train someone, I have to mitigate these threats tonight!” While we have been there, and can appreciate the sentiment, the fact that we have yet to find an equilibrium between candidate supply and demand indicates that we might not be formulating or pricing the problem correctly. If everyone always holds out for the complete package, nobody will ever get it.
What is cybersecurity, anyway?
Another issue in our field is that many organizations seem to build cybersecurity staffing requirements around a bachelor’s degree in computer science. This was possibly a good strategy once, but computer science degrees and cybersecurity are increasingly mismatched, for several reasons. Most people in computer science programs want to write software. Furthermore, most computer science programs offer little material on security. This is partly because there is so much other material to cover, and partly because security knowledge isn’t yet a big part of the development careers that follow. DevSecOps continues to hold promise, and developers may, in time, begin to know and care about security, but we aren’t there yet.
It’s clear that security is computer science-adjacent at best, in terms of both the body of knowledge and daily behaviors. A computer science graduate coming into security will not only have learned a lot of unnecessary information, but they will also have a lot of catching up to do. If nobody recognizes these gaps for what they are, the candidate can appear under skilled or unmotivated.
Which cybersecurity are we talking about?
Another problem is that security itself is a poorly defined body of knowledge. There are so many different skill sets that even veteran security experts often don’t see eye to eye about what a security professional should know and do. Our field encompasses such subdomains as malware analysis, penetration testing, code review, forensics, threat intelligence, risk assessment, compliance, cryptography, network monitoring, and incident response. It requires understanding other domains, including software development, application architecture, information architecture, data visualization, law, basic business principles, and effective communication. It occasionally requires knowledge from fields like geopolitics, global economics, counterterrorism, behavioral psychology, and statistical methods.
No institution can effectively cover all of this in one shot, and the needs of a given organization will also be determined by its strategy, security architecture, and the hiring manager’s perspective. This means that even experienced specialists need to be willing to humble themselves and constantly gain new skills.
Thus, the degrees that tend to get hired in this field aren’t a great match, and the field itself is so resistant to categorization that only lifelong learners can write their own tickets. However, the attribute that marks the kinds of people who go on to do well in the field is fundamental interest in the idea of security. If they have that, we can teach the rest. For that reason, we think that, rather than looking for turnkey candidates, it’s better to cultivate the practical skill set among people who self-select as being interested.
It’s better to grow your own cybersecurity experts
It can feel like a gamble to invest in unskilled but motivated candidates. It would be great if you could get a security genius off the shelf, but both the history and the direction of the field indicate the need to cultivate rather than purchase. The key to this is to test for passion first. For cybersecurity professionals, continual learning is part of the job. If they aren’t curious and motivated to do this, don’t bother going further. It will be a waste of their time and yours.
Conversely, if you find someone drawn to the field, then training them is a win for everyone—for you, for them, and for the organization. These people will go on to be more effective and significantly cheaper than the alternatives. We also need to emphasize that, in our experience, many of the best candidates will be from nontraditional backgrounds, and not just computer science students. Self-taught, passionate hobbyists and code-school candidates have frequently shown themselves to be willing and able to learn and excel in our field.
Sander Vinberg, Threat Research Evangelist at F5 Labs