When it comes to matters of security within information systems there are levels of skills required to perform the proper roles of ensuring information security within your organisation.
If asked a lot of security experts and maybe HR managers would point to a skill gap as one of the main reasons why fighting cyber-attacks and having robust security teams is a challenge.
As CIO or CISOs we have at some point mentioned to HR or the CEO about a lack of skill to help strengthen security within our organisations. It’s no lie the skill gap is there but should the focus be to sing about it or to change it?
The skill gap answer has also been used as an excuse making it something, we have shifted blame to someone else, the passing of the hot potato is the trend we create, worst of all in doing this we create a problem that we could have solved on our own.
The skill gap is not a light subject and one that draws different opinions and opinions that are for the most part strongly held. As CIO or CISOs we have at some point mentioned to HR or the CEO about a lack of skill to help strengthen security within our organisations. It’s no lie the skill gap is there but should the focus be to sing about it or to change it?
Back to the hot potato and why some IT executives might not see the skill gap as a problem they should be tackling, quick to jump the rails and call out an outdated learning system that produces very few qualified if at all qualified work candidates. These IT executives do have a point clear as day the curriculum does need a change and well it’s not their place to change it. If the consequences are on us in the IT field passing the hot potato should be the worst move ever. Similar to a fictional problem-solving method where you ignore the problem until it goes away
But how do you make a change and you are not in the education space? Luckily learning is not the kind of thing that must be done in a lecture hall with a white board. Simply put of you can not get the lecturers to change the content, then work your way around it and advise students on what else to study.
Recently I took up a mentee who required an internship at a cybersecurity firm however the firm had to turn him down for lacking a crucial skill despite him studying computer forensics.
This does highlight a disconnect between what employers and the security space needs and what the schools are offering. The solution become clear to my mentee, go out there and learn the skill. A free online course and the volumes of knowledge available on the internet made it a quick fix for him.
This solution the skill gap does quickly highlight how we are the architects of our own destruction. We don’t need to battle it with other institutions to change the content, the current content is valid (to a degree) after all its where most security experts originally learnt the tools of the trade.
The first solution to the skill gap is one of taking the steps to mentor students in the right direction. And that’s the easy one.
The above solution only goes so far as how many mentees one can accommodate. To cast a wider net and secure the skill gap issue requires a change in recruitment within our organisations. And it can be summed up into this “if you can’t find it build it.” Hire someone who has the potential to become what you need and give them access to the proper trainings and certifications. Build your own security experts and the skill gap and shortage of experts reduces.
One other way we create this skill gap is a lack of practicality in the qualifications of security experts. A trend to look for security experts with 10 – 15 years’ experience baffles my mind. Credit due for those who have this much skin in the game but from a technology perspective I see no harm in going for someone with 5 years’ experience as well. Technology is becoming more obsolete faster what does this mean for security experts? It means you don’t need the experience of having dealt with security matter that concerned windows 2000 or XP, servers and firewalls that are no longer in use and attack vectors that won’t work on the existing technologies we have now. This does make that experience novelty (and yes eventually even some of my experience will become novelty and it’s a truth I have accepted long in advance and maybe we all should) a piece of good knowledge but not something to be seen again.
Approaching the skill gap challenge by involving the following three steps
- Getting involved with the learning process
- Growing talent where talent cannot be found
- Recruiting with an understanding of how fast technology changes and how quickly experience can be eroded
These three not only allow us to own our problem but to have no excuse to fix the skill gap.