For years we’ve talked about the dearth of skilled cybersecurity professionals which ISACA reports is now estimated to reach two million by 2019. Encouraging more individuals to pursue technical and engineering degrees can help address the shortage. But we can also expand the talent pool by thinking more broadly about cybersecurity and what it takes to be an expert.
There is no one definition of a cybersecurity professional and no one path to get there. Success requires certain core strengths, the right course of academic study, real world experience and mentorship. Further, as the field has matured we’ve seen that many domains must come together to perform security well – infrastructure security, application security, data science and business risk. Only with talent across these domains can we develop, deploy and manage secure solutions that can mitigate risk effectively as threats continue to evolve. Let’s take a brief look at these four core domains and a few of the “must have” skills for success.
Infrastructure Security – Because a myriad of components, such as network connections, servers, databases, middleware and various endpoints all work together to protect an organization’s infrastructure, a well-rounded security professional with a strong foundation across an array of technologies has the opportunity to truly excel. With a multidimensional skillset, he or she will be able to architect, build, and manage a highly effective threat defense. For example, to properly segment an infrastructure, knowledge of networking, server operating systems, identity and access management, and databases is required. Experts in these areas can dive deep as needed, but a security professional with a breadth of knowledge can not only provide strategic recommendations to the business on how to use segmentation to strengthen defenses, but also lead and manage the efforts to do so.
Application Security – Success in this domain is often predicated on genuine curiosity and a penchant for deconstructing things. Application security professionals apply this mentality to think like an attacker and identify weaknesses in applications that adversaries may exploit. This type of critical thinking is not restricted to STEM course study and many times may be developed effectively through a liberal arts or humanities education. Regardless of formal education, a well-rounded application security professional also needs development skills to understand coding and how an application is built in order to construct threat models and determine how it could be broken. Technical skills, combined with the ability to clearly articulate the analysis – including the vulnerabilities, threats, associated risks and mitigation strategies – to a variety of audiences, is critical.
Data Science – As adversaries devise new ways to evade detection, data science can be applied to detect these emerging threats. But it is only in the last few years that we have been able to gather data sets that are large and diverse enough to conduct meaningful analysis. This makes data science a new, high-growth area and cultivating talent can take time. It either starts with individuals who have a sophisticated understanding of mathematics and statistics and then have spent time in the security operations center (SOC) analyzing real attacks. Or it starts with a SOC analyst who has demonstrated a mastery of monitoring and analyzing threats and then has invested academically in developing mathematical skills. Either way, in order to succeed, data scientists need a combination of mentorship grounded in reality and experience conducting analysis on vast amounts of data to understand what happened and why.
Strategy, Risk and Compliance – Frequently referred to as the business side of cybersecurity, this domain is important for two reasons. First, the entire purpose of cybersecurity is to enable and support business objectives. Yet the IT department and cybersecurity are often viewed as the office of “no.” Technical security staff must have the business acumen to understand business objectives and understand where risks reside. This will allow them to work with business leaders to align security with digitization strategies that leverage the Cloud, IoT and analytics. Second, there is a huge communications and knowledge gap between executives in the board room and technical security staff sitting in the SOC. They speak two very different languages – revenue and business risk vs. speeds and feeds. Security professionals who succeed have mastered the ability to translate technical, cyber security topics in terms that are meaningful to board members and can outline business implications. General business administration/management, finance and economics classes, as well as mentors outside of technology, can help security professionals bridge the gap and excel within the operational realm of cybersecurity.
There is no quick fix for the cybersecurity talent shortage that has plagued us for years. But with a broader perspective on cybersecurity and what it takes to be an expert, we can expand the universe of qualified workers, better cultivate the talent we have, and improve security in the process.