maxoidos - Fotolia
- Kathleen Richards, Information Security
The global search for a skilled cybersecurity workforce requires unique strategies as organizations face shortages, and encounter stumbling blocks ranging from performance issues to the political climate.
"For many years, the focus has been on perimeter defense and defending the walls of the castle," says Eddie Schwartz, the international vice president of ISACA, a nonprofit global association of 140,000 IT and information system professionals, and also chair of ISACA's Cybersecurity Task Force, and president and COO of WhiteOps. "The other skill set is more of a general security skill set that allows organizations to do compliance, healthcare regulations or payment card industry."
The problem with both of those skill areas, according to Schwartz, is that in the last five to seven years there's been a dramatic surge in advanced threats and malware; much of it is more sophisticated than reasonable security practices and procedures driven by compliance regimes.
"The emergence of security professionals that can cope with advanced threats and advanced adversaries hasn't kept up with the changes in cybersecurity," he says.
The skills mismatch is well documented: Three-quarters of the IT and HR executives surveyed by KPMG in October at U.K. companies with 500 to 10,000 employees said they faced new cyber challenges that required new information security skills, citing data protection and privacy as particular areas where their organizations required more expertise. More than half said they would consider using a hacker to provide inside information to their security teams, or an expert with a criminal record. The primary reason: The skills to combat cyber threats differ from those needed for conventional IT security.
While those tactics may sound like desperate measures, cybersecurity skills shortages are widespread. More than half of the global cybersecurity professionals (polled in January and February by ISACA and RSA) reported that fewer than 25% of cybersecurity applicants are qualified to perform the skills needed for the job, according to the "State of Cybersecurity: Implications for 2015" study. Survey respondents indicated that hands-on experience is the most important qualification. A lack of credentials ranked second as a disqualifier; 72% said the biggest gap is the ability to understand the business.
In the United States, the Department of Homeland Security is introducing proposals such as temporary work visas for spouses to boost foreign workers' incentives to apply for the U.S. Department of Labor's H-1B Specialty Occupation visa program. Started in 1990, H-1B is designed to enable nonimmigrant foreign workers with at least a bachelor's degree, or the equivalent, to temporarily work (up to six years) in the United States in specialized areas when there is a shortage of available U.S. workers with the desired skill sets. A "fairly large but unknowable portion" of these visas are used for cybersecurity, according to James Arlen, director of risk advisory services at Leviathan Security Group, a Seattle company that provides integrated risk management and information security to Fortune 100 companies and governments.
The visas are used for everything from "firewall monkey logger" all the way up to senior analyst types of roles, according to Arlen. "The issue really comes down to the fact that there are so many unfilled positions, that there simply aren't enough people globally," he says. "It's a matter of attracting the ‘best of the best of the best' to get them to work on your stuff."
But the implementation and administration of some H-1B programs may be different than its intent. A bipartisan group of senators is demanding an investigation into employers' alleged abuses of these programs, from exploiting foreign workers and paying below market wages, to laying off employees and filling the jobs with H-1B workers (allegations leveled at Southern California Edison and Disney in recent months). Is there a talent shortage in technology and computer science, or are companies "outsourcing" particular job functions like IT and software engineering to lower costs?
Naysayers point to H-1B programs as one of the dynamics that are lowering career incentives for technology professionals. Many workers in these H-1B programs, which are currently capped at 65,000 despite calls for expansion, work in the United States for several years and then return home with more marketable skills. Cheaper labor may also affect hardware and software implementations, which are already at high risk for security vulnerabilities, although below-market compensation has not been specifically documented for cybersecurity roles.
While the H-1B program is designed to help U.S. employers remain competitive globally by attracting highly sought-after skill sets, concerns about intellectual property theft and cyberespionage are heightened in some industries when hiring risks extend across borders. Do you really want to bring in foreign nationals to perform certain tasks, even if they are highly skilled?
The data breach disclosed in June by the U.S. Office of Personnel Management (OPM) that exposed private information on all past and current federal employees, has accentuated concerns about giving privileged access to contractors who are based in other countries or have foreign passports. Ars Technica reported in June that a consultant who managed personnel records when he worked for an OPM subcontractor three years ago was alarmed when he realized that other project members, who were either physically based in other countries (Argentina and the People's Republic of China) or had PRC passports, had root access to multiple agencies' databases:
"I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what's new?' "
Political hot potatos
In just a few years, cybersecurity has moved center stage in the political quagmire that surrounds government access to Internet communications and alleged nation-state activities attributed to China, Russia, the U.S. and North Korea (after the Sony breach). According to the ISACA and RSA survey data, close to 20% of enterprise IT professionals surveyed cited nation-state attacks as a threat to their organization in 2014.
After the widespread "data collection" activities of the National Security Agency were exposed in 2013, the "techno-nationalist" policies and data protection and privacy regulations of some countries have created hurdles for cloud providers and networking companies, as fears of "backdoors" intensify. Does importing cybersecurity talent have national security implications?
"People are conflating the idea of loyalty with nationality," says Leviathan's Arlen, a Canadian who has worked as a CISO in the U.S. and provides security consulting to financial and utility verticals. "The reality is that at every single level all the way up to CISO, there is a lack of potential candidates, and you will take them wherever you can get them."
"The frustration comes in when it comes to battling attribution," he says. "If you have Mandiant do your analysis, nine times out of ten they are going to say it was China. If Norse does it, they are going to say it was Iran." The claims of attribution are just that: claims. It is a risk calculation; you have to treat everyone who walks in the door equal and make your decision from there.
Each organization needs to determine what its profile is for hiring, agrees Schwartz, and if your company is multinational, the reality is that other aspects are going to determine whether someone is qualified to meet the job requirements. It's important to ensure that you know who you are hiring, and that you have local people do a background check. Like any other job, you also need to make sure that the person has the right educational credentials and training and can execute the skills that they are asked to perform. "When we hire people, we make sure they pass background checks, and provide them with the right supervision," he says. "Certainly a globalized view in today's world is the correct one, and it reflects the views of the ISACA organization."
Training and certifications that enable candidates to demonstrate that they can actually perform the skills needed to be effective on the job are also gaining momentum. While certifications such as a CISSP may be required to get a seat at the table, more certification exams are becoming performance-based. "It's not just that you can enter an answer to a multiple choice question on, ‘Do you know what a firewall is used for?' But that you can actually demonstrate during an event that you know what to look for in firewall logs and what actions to take," says Schwartz, who noted the ISACA is among the organizations that offer this type of certification and training.
Recruiting platforms have also emerged that can help companies better evaluate performance. HackerRank enables companies to create coding challenges for computer programmers, with automated scoring and assessments, in machine learning, security and data science. In addition to putting programmers to the task, a unique CodePair feature enables security manager's to interact with applicants using a split screen to view and write code in real time. The San Francisco company runs hackathons for computer programmers worldwide. CEO Vivek Ravisankar, who has a computer science degree from India's National Institute of Technology, says that he got the idea because he was routinely passed over for jobs. Adobe, VMware, Walmart and Yahoo have used HackerRank's service to find programmers, according to the company.
While professionalizing cybersecurity is promoted by some research organizations, including a report published last August by the Pell Center at Salve Regina University, technology proponents point to higher levels of automation (and a move away from manual processes).
Relief for security teams may also be provided by a new category of tools designed to integrate on-premises and third-party systems, and orchestrate workflows and operations throughout the security monitoring and incident response process. Key technologies include CSG Invotas Security Orchestrator among the tools used by OPM to detect the breach and Phantom Cyber, which is still in stealth mode and expected in beta later this year.
"Automation is a good thing if you can get there from here," says Schwartz. "Our industry, security, has not perfected predictive analytics yet; we are not even close to getting there, and artificial intelligence isn't here yet either. So I think for a long time to come we are going to see the need for humans to be deeply involved in the cybersecurity process, particularly when it comes to stopping events."
The question isn't so much about how can we automate the problem and make it go away, says Schwartz: It's who really needs to be doing cybersecurity, and who should have others doing it for them. Enterprises are increasingly using managed services for IT and moving to the cloud, and security will likely follow a similar trajectory.
"Right now, many organizations try to solve this problem on their own, and they try to hire people," he says. "It is sort of like a bunch of small countries trying to fight a superpower in terms of organized criminals and nation-states; there's just no hope."
About the author
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter: @RichardsKath.