As the competition for cybersecurity professionals grows more intense, companies are increasingly focusing on a new strategy to find the talent they need: plugging the skills gaps in their existing workforce.
"Many companies I work with are getting to the point where they have given up on attracting people; they have become more focused on keeping the people they have and training them in the skills they'll need to stay effective," said Simone Petrella, founder and CEO of online training firm CyberVista.
Certainly, organizations are acutely aware of the need for their security workforces to keep current. A research report jointly published last summer by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) found that 92% of those surveyed said security professionals must keep up with their skills or the organizations they work for will be at significant disadvantage in today's rapidly evolving cyber threat landscape.
"Ignorance is not bliss in this profession, and ignoring the need for rapid learning only puts the organizations that folks work for at a significant amount of risk," said Candy Alexander, president of ISSA International and CISO at NeuEon.
According to the ESG-ISSA report, 70% of ISSA members believe their organizations have been affected by the global cybersecurity skills shortage, with 45% stating that the cybersecurity skills shortage has gotten worse over the past few years, 48% stating it's about the same and a mere 7% saying things have gotten better. The biggest ramifications of the cybersecurity skills shortage cited by survey respondents were increased workloads for their current security teams, unfilled open job requisitions, and an inability to learn or fully use cybersecurity technologies.
"Our profession has matured to the point where there are many disciplines requiring a variety of skills sets," Alexander said. That includes some all-important soft skills.
"Technology no longer completely defines who we are," Alexander said. "Cyber professionals need to support the business -- and, therefore, they need to begin to think and understand how a business is run, what direction the business is moving towards -- and to support it through secure practices."
Here are the technical skills and soft skills that security industry professionals say are the most important for building a successful career -- and putting organizations in the best position to remain effective.
Top technical skills needed to advance your cybersecurity career
- Application security development. Companies need security people who are skilled in DevOps concepts and can work closely with the software engineering teams. Communication skills are important here because engineering departments are often focused on getting a product out the door or on the product's functionality versus its security. People interested in this area, therefore, need to be flexible because application security development often falls under business units outside the security team's direct control. In addition, security professionals are often primarily focused on keeping the bad guys out rather than on building security into products from the get-go. Honing your skills in application security development will require adapting to a new security mindset and culture.
- Cloud security. As more companies look to cloud infrastructure to store data and run applications, they need people who understand the underlying infrastructure and how to tie identity management and authentication to running basic SaaS applications securely. Many cloud breaches happen because of fake pages set up where credentials are stolen. Companies need people who are familiar with these tactics and can manage the cloud security tools that monitor and identify these kinds of schemes.
On the business side, companies also need people who understand the contract clauses in agreements with the vendors that offer these cloud services; in particular, cloud security experts need to understand the company's responsibility for security in the vendors' shared responsibility agreements. People with experience managing the big platforms, such as AWS, Microsoft Azure and the Google Cloud Platform, are in high demand.
- Threat intelligence analysis. There are any number of threat intelligence tools on the market, but people who can use the tools properly and contextualize and analyze threat trends are in short supply. Companies tend to have a hard time finding people with this talent -- and an even harder time training them. The job requires strong analytical skills, curiosity and the ability to handle high-stakes pressure. Threat intelligence experts are skilled in analyzing digital forensics. They often have some programming skills, especially in Python. Security people interested in this area can develop experience working on incident response teams where many of these skills also come into play.
- Penetration testing/red teaming. People with pen testing/red teaming skills are offensive security types -- experts who can go into companies and tell them what's broken and how to fix it. It takes several years of training and experience to do this work well, and that's why companies also have a hard time finding these people. The best pen testers believe that they can hack anything. It takes a lot of confidence and bravado, but it also requires a lot of skill that's gained in the classroom, in hands-on seminars and on the job.
- Network security. Network security skills are basic skills that everyone in the security field should have. Some of the best security people come from a network security background, precisely because the basics of security stem from understanding how networks work: You can't defend networks if you don't understand how routers work, what the firewall logs mean or haven't mastered the fundamentals of intrusion detection and prevention. Many would argue that the best career track for security professionals is to start in computer support and then work as a network administrator and build security skills over time from there.
- Identity and access management. The vast majority of breaches -- more than 80% -- are caused by compromised, weak and reused passwords. Once again, communications skills are important. Companies need people who can explain the threats to people and teach them how they can improve their password practices by using Google Authenticator, Authy or other passwordless tools -- fingerprints, face IDs, retina scans -- in their daily work lives. Companies also need people who can manage identity and access management tools and how to set network privileges and manage them properly so the organization stays vigilant against intruders. Experts in this area must be able to define levels of access to certain data sets and set privileges tailored to employee roles and responsibilities.
- Risk and compliance auditing. The skills required in this area depend in part on the industry or part of the business you work in. Companies focused on e-commerce will need people who understand how to comply with PCI DSS regulations; just about every type of organization, on the other hand, has to deal with HIPAA compliance for sensitive medical data. Soon, organizations will need people who are familiar with the various data privacy regulations, whether they are based on the European Union's GDPR or the California Consumer Privacy Act. Companies will need people who can assess the noncompliance risks and understand what paperwork to file and which security protocols to put in place to comply with the regulations.
- Mobile-remote computing. Here's a skill that many may argue should go up higher on the list. Certainly, during 2020's work-from-home period, security teams spent the bulk of their time rolling out VPNs or managing Remote Desktop Protocol (RDP) servers so employees could access corporate applications from home. Even though there's some light at the end of the tunnel with news of a series of vaccines, companies will not send their employees back to the office right away. Many companies may find that the work-from-home model works well for them, so security teams will need people who understand how to manage VPNs and RDP servers and work with people on how to segment their home networks for greater security.
Meet the experts
Here are the industry experts who helped develop our security skills list:
- Candy Alexander, president, ISSA International, and CISO, NeuEon
- Ryan Corey, co-founder and CEO, Cybrary
- Brandon Hoffman, CISO, Netenrich
- Jon Oltsik, senior principal analyst, ESG
- Simone Petrella, founder and CEO, CyberVista
- Lisa Plaggemier, CSO, MediaPro
All-important soft skills to advance your cybersecurity career
- Communication/leadership. Experts in the security training field say that soft-side communications and leadership skills are sorely lacking in the security business. Of course, this has always been an issue in the technology field, but it's become more important in business today because security people have to develop an ability to explain technical concepts in ways that business people will understand. The most talented threat hunters or red teamers won't advance their careers if they can't explain basic security concepts to business leaders. That means avoiding in-the-weeds analyses of the impact of intrusion attempts or security incidents on KPIs in favor of plain talk: Explain to top management what the risks are to the company's sales, profits and reputation if it is hit with a data breach.
- Creativity. While the least technical skill, creativity is the one intangible that can catapult people to the top of their cybersecurity careers. Creative security people are able to "think like a hacker," entertaining many what-if scenarios and staying one step ahead of the cybercriminals. Sometimes, the work is like an elaborate chess game. Sometimes, it's like a police stakeout where hackers infiltrate the company's network for months and the security team just waits for them to make their move. Other times, it's understanding that some hackers are lazy and will just go for the low-hanging fruit. Whatever the criminal motivation is, great security people are able to suss it out. They feed their creativity by reading books, keeping up on current affairs and social media trends, playing musical instruments, designing a video game, learning some of the basics of computer animation or getting involved in the community by coaching a sports team or working with kids. Interpreting logs and analytics charts, coding and hard core red team skills will certainly open doors for you in cybersecurity, but having a creative streak and a curiosity about life and people will take you even further.
Enterprise Strategy Group (ESG) is a TechTarget-owned company.