One of the biggest problems in cyber security is that there are not enough qualified experts to manage the volume of attacks, alerts, audits, incident response drills, infrastructure upgrades, and compliance reports. And that’s not even getting into threat hunting or risk hunting. So, how do we address this problem?
We’re making some progress on multiple fronts, but we can do better. Technology, and the actual technological approaches of new solutions are starting to save humans lots of time. We still need people, though, and, more importantly, we need to create programs that encourage and incentivize new players into today’s information battle.
The U.S. government is creating programs to incentivize entrance into the information security field but, right now, these programs are largely targeted at college students. Don’t get me wrong, we need youthful energy to combat the “game face” that attackers put on, and we need young talent we can mold and grow into the right type of cyber soldier against today’s and tomorrow’s attacks. But more is needed.
There’s a multitude of technology professionals, analytical thinkers, and engineers who would love to get in the game—but they don’t really know how to do it.
I’ve talked to several people who have shifted into security after starting their careers in another field, or who have worked long enough to have rock star coworkers make similar transitions. These situations are still pretty rare, though. We need people to dive right in if they show the right aptitude and passion for cyber defense.
Here are some quick points to keep in mind if you’re considering moving into security.
Look at your existing area of expertise. If you’re a programmer, maybe you can work on creating more secure software development life cycles, or you can try to find a security engineering position where you help utilize vendor APIs to incorporate automation and orchestration. If you’re a network admin, maybe you move into more of a network security-monitoring role. The same goes with other existing technology jobs. Cyber defense usually has a spot for you that requires your existing skills.
Not everyone is the quarterback. I meet with lots of teams every week, and some need a quarterback, but pretty much everyone needs a lineman or a defensive back—team players who fill important supporting roles. Often, these roles are great because you get to interact with lots of different specialists and play with a lot of tools. You’ll gain experience quickly and figure out where you can make the greatest contribution.
You might even help evaluate products and set up various sensors and monitoring capabilities, essentially doing the basic blocking and tackling that should be done before anti-APT and threat-hunting efforts become the team’s focus.
Think about roles differently. Some of the best teams I have met are doing it with a slight twist. Almost all security hires are more like programmers, because these days being able to leverage vendor APIs and tie information together (again, orchestration) is huge. Being able to write a few lines of code to filter out some of the events you’re seeing, being able to generate more customized alerts that are more easily digestible, and being able to pull in custom context and threat intelligence are some of the reasons to have programmers on your security team. Beyond this, teams are having success bringing in financial analysts as security analysts, because these individuals are skilled at critical thinking, looking at data and patterns, and leveraging multiple technologies to help reach a conclusion.
Incentivize and grow. The government needs more incentive programs to fill the national cyber shortage, but the effort should extend beyond that. Private companies should offer incentive deals where a prospect is loaned $10,000 to take and complete SANS classes. If they pass, they are hired by the company. The employer knows that the employee has a particular baseline, and they could count that money as the employee’s training budget. Or, embrace similar ideas where a working adult who might not have the money upfront can make the shift, too. We need to think more like this so we can attract working professionals and other non-college talent pools into the world of cyber defense.
Make it welcoming. Security circles are often filled with mild arrogance because, well, those people are often very smart and are doing hard jobs. But we need these circles to be welcoming. The security ninjas need to treat the white belts with respect and nurture them so they can eventually wear a cyber defense black belt. We need mentoring programs, cheaper or free training, and marketing and PR efforts to let the public know that cyber security is a great career path.
You don’t have to be in security now to get a security job, and you don’t have to just recruit existing security professionals to fill your ranks. There’s opportunity, we just need to create more incentives, generate exposure to the broader technology and analytical thinker talent pools, and then execute. Let’s make 2015 better than 2014 when it comes to expanding the security talent pool.