This article can also be found in the Premium Editorial Download "Information Security magazine: Next-generation firewalls play by new rules."
Download it now to read this article plus other related content.
Dell SecureWorks' business relies on having top talent to run its security operation centers and threat analysis groups. As a managed security service provider in the business of filling the holes in its clients' defenses, the company needs a well-trained workforce.
Yet, like most firms, SecureWorks is hounded by a dire scarcity of trained security professionals. The situation is so bad that for every 20 open security positions at the company, there is only one qualified candidate, said Jon Ramsey, the firm's chief technology officer. The company has pursued a number of strategies to improve its chances of gaining the right people, from aggressive recruiting tactics to in-house ‘farm teams' for developing talent, to partnerships with universities. On top of that, the company awards higher salaries to the right people, a necessary tactic that not every company can afford.
"The people who need security professionals cannot find them," said Ramsey. "And if the company is not a security business, it is hard to justify paying a premium for people who are not core."
If a company whose business is security is having such problems finding the needed security staff, businesses in other industries are even worse off.
Cybersecurity talent crunch
Estimates of the problem vary, but no one disputes that the United States, among other countries, is suffering from a security talent crunch. Cybersecurity specialist James Gosler, a former employee at the Central Intelligence Agency, estimates that in 2012, no more than 1,000 people had the necessary skills to tackle tough cybersecurity tasks. The nation's companies and government agencies need at least 30,000 to secure their systems, he estimates. According to assessments by the International Information Systems Security Certification Consortium, or (ISC)2 more than 300,000 trained cybersecurity professionals are needed.
The disparity in the estimates does not indicate uncertainty in the numbers, rather a difference in the type of security position being described: Gosler's lower number focuses on the highly technical security engineers and ethical hackers who are intimately familiar with securing systems, while the (ISC)2's higher number includes security professionals more familiar with compliance regulations and managing other security workers, said Alan Paller, director of research for the SANS Institute.
It's all about hiring the best, and once we hire them, we use a farm league to develop the talents we need.
Jon Ramsey, CTO, Dell SecureWorks
Companies are having problems finding the security professionals that they need, and schools are not graduating enough students with the necessary talents or experience for entry-level positions in cybersecurity.
"More than half the people needed are the ‘frequent flyers,'" said Paller. "They're the ones that can tell you how the plane flies, but if you put them in the cockpit, the plane would crash."
Colleges and universities are good at training and graduating the "frequent flyers," but the more technically adept security technicians are more cultivated than taught, he said.
The security industry, however, will not wait for the workers to catch up. The industry will grow about 11% per year until at least 2020, said W. Hord Tipton, executive director of the (ISC)2.
A major problem for companies is a lack of college-educated candidates for entry-level positions, said Frances Alexander, a former CISO at two medium-size healthcare providers and now a director at the Information Systems Security Association. Because IT security professionals tend to develop their skills on the job, they end up being too senior for most entry-level positions.
In the pipeline: Farm teams and hackathons
For companies that have time to develop the necessary security skills in-house, training willing and talented employees is a good -- albeit slower -- alternative. If a candidate fits the culture and has a strong curiosity about technology and security, the company can develop the rest, said Jon Ramsey, chief technology officer of Dell SecureWorks.
"It's all about hiring the best, and once we hire them, we use a farm league to develop the talents we need," he said, adding that the company frequently has the trainee shadowing a more experienced worker. "We can put a junior member of the team with a more senior person for training, send them to an engagement and not charge for the trainee."
Hacking and cyber-defense competitions are another good way to teach security professionals more technical skills in a competitive setting. The nationwide competitions -- typically offered at the high school, college and post-graduate levels -- can act as a good team-building exercise, but have also become the foundation of one strategy proposed by the Homeland Security Advisory Council's Task Force on Cyber Skills.
By taking competition winners and offering them scholarships for intensive training at a two-year college, the initiative aims to increase the number of technical people in the pipeline, said Alan Paller, director of research at the SANS Institute.
In a recent New Jersey trial, 960 people competed, 76 advanced to live systems and 15 contestants got scholarships. Paller estimates that 40 of them could have taken home a scholarship if there were enough.
"That's with substantially no promotion," he said. "That means there are a lot of potential candidates out there, so the problem is not the training, but the selection process and the opportunities."
"There are not a whole lot of entry-level resources out there," she said. "We, as a profession, are definitely heavy in the middle."
Beg, borrow, steal
Today, the strategy that most companies rely on is poaching from their competitors or even inside their own organization. When Dom Nessi, deputy executive director and CIO of Los Angeles World Airports, took over IT security in 2007, the department, which manages the operations of LAX airport, had no information-security team. In 2008, Nessi hired a CSO, who brought two other security professionals from a different department.
"I had to poach them from the City of Los Angeles' IT department, and they don't let me forget it," he said.
Yet, such measures are short-term at best and can be a vicious circle. Instead, companies focused on staving off the poachers should carve out appropriate positions for skilled workers, consider paying their competent security people more and provide a clear path of promotion, said (ISC)2's Tipton.
Companies and government agencies that have good security professionals should make sure they are not treating them like a third arm, said LA World Airports' Nessi. The problem is acute within government, where security professionals are routinely lumped in with other information technology professionals, even though they typically command a premium.
Government "tries to pigeonhole our IT security staff into positions that were never intended for them," Nessi said, pointing to security experts toiling under titles of "application programmer" and "network specialist."
Companies that do not have the resources to hire their own security team could rely on cloud and managed services. Cloud services tend to have better-managed security than at most companies, freeing up IT security people from managing that business process. Managed security services can help companies fill their security gaps.
"Cloud has really taken a lot of pressure off the demand," said the (ISC)2's Tipton. "The amount of demand would be more than double if it wasn't offset by the cloud."
Government 'reservists' and college partnerships
For the long term, companies need to work with the government and academia to increase the supply of potential candidates with the right skills.
One model is the relationship that the government has with airlines: The military trains pilots to fly aircraft. The government retains skilled pilots for a certain amount of time, and the pilots know that there is a good job out there when they are done with their training and term of service.
"They train the pilots (at a cost of about $130,000 per person), benefit from that training and then send them out into the industry," said Paller.
More than half the people needed are the ‘frequent flyers'. They're the ones that can tell you how the plane flies, but if you put them in the cockpit, the plane would crash.
Alan Paller, director of research, SANS Institute
Yet, the government has its own problems. Lured by the big salaries in the private sector, many security professionals are using the government as a stepping stone, and rather than spending five or six years in government service, workers spend a year to 18 months and then jump ship, said SecureWorks' Ramsey.
Along with efforts to keep technically talented people, the government should offer an alternative reserve system where computer security professionals can serve in government roles for a few days a month, but not run the risk of being called to active duty, he said. "I know a lot of people that would be interested in that."
Such a system would allow the government to benefit from the talents of security experts over time, while giving those professionals additional opportunities for training.
Finally, the U.S. needs to have an education system that is more responsive to industry's needs, security experts say. Companies should work with universities to mentor future graduates and provide internships for potential employees. Dell SecureWorks, for example, works with the Georgia Institute of Technology, Rochester Institute of Technology and Purdue University.
Without a good outreach program, companies may find that they have no one to fill their ranks of IT security experts in the future, said Garrett Felix, information security and privacy officer for MediFit, a preventative health and wellness provider.
By fostering and mentoring students, companies can create their own pipeline for the future and help draw students to the profession, Felix said.
"Getting interns exposed to the information security role in the industry is important," he said. "When I bring an intern in, I take them under my wing and show them the security side of the business."
(ISC)2's Tipton would like the industry and government to focus on even younger students. "Starting at grade school, teach something besides functionality," Tipton said. "If you only make it user friendly, perhaps you sell more, but you also take away the checks and controls that make it that much more secure."
Robert Lemos is an award-winning technology journalist, who has reported on computer security and cybercrime for 15 years. He currently writes for several publications focused on information security issues. Send comments on this column to firstname.lastname@example.org.
This was first published in September 2013