2B The Cybersecurity Skills Gap : Building A Cybersecurity Workforce from Scratch

No ratings

Presented at COSAC 2015 by

Esther Luit

One of the most frequently-cited problems encountered by companies, is the lack of skilled cybersecurity talent available in the job market. The cybersecurity field is relatively new, and only recently with the increased media attention for breaches and a severe increase in cybersecurity labor demand, have educational institutions responded, be it with curricula that are hardly set in any stone. With the speed the field is developing, any knowledge that they offer to students is to be quickly rendered obsolete, and it will take time before the influx of these new cybersecurity students reaches the job market. People with more working experience in cybersecurity, have usually entered the field through a side-step that has given them the required skills in either the technical or the management aspects of cybersecurity, but seldom provides them with the big picture. Furthermore, job titles greatly vary and do not allow for any definite conclusions on whether the person in question conforms to any specific profile in terms of skills, abilities, work values, knowledge and experience. Meanwhile, working on the malicious side of cybersecurity is paying off well for those with the capabilities, and the speed with which attackers come up with new attack vectors requires a workforce that is beyond feasible for most companies to ensure protection. The question the industry poses is thus: How to jumpstart a cybersecurity workforce, with the industry being in its early maturity stages and standardization incomplete? Or to put it more bluntly: “We want more people and we want it now”. The NICE (National Initiative for Cybersecurity Education) has commendably initiated cybersecurity workforce standardization by attempting to define the types of jobs, the levels within these jobs and the skills required by the industry. With over a 1000 tasks to perform and over a 1000 knowledge, skills and abilities listed in order to perform them, this would seem a daunting task for even the most seasoned security professionals in the audience. What is lacking is a concrete approach to training young people to be cybersecurity workers, without having to wait for years of experience or fully matured cyber curricula to develop. In this talk I will thus address the following: Talent Pool: Criteria to broaden the potential hiring pool beyond those graduating in Computer Science or already working in cybersecurity, such as work values, a subset of base skills and non-security knowledge, skills and abilities characteristic for people successful in the cybersecurity field. What is success? Do you need to know about Security? Do you even need to know about IT? Base knowledge & skills: The fundamental knowledge and skills for each maturity level in cybersecurity job functions determines the starting point for further development. These can be extrapolated to educational requirements, going back to as far as the earliest years. What should a cybersecurity master program cover? What should kindergarten cover? Trajectory of Development: A model of adjacent and associated skills (not unlike a game skill tree), which constitutes a pathway for additional development after proficiency in base knowledge and skills has been demonstrated. Certain security profiles can be discerned: What should a hacker be able to do? What should a security consultant be able to do? When is someone specialized in IoT security? Maturity modelling: The development of the workforce as a whole can be used to denote the Capability Maturity of the organization at hand. Is there difference between all-round, leveled organizations, and organizations that consist of SME’s in terms of their maturity level? Is there a good and a bad posture depending on the security requirements / function of your company? By broadening the talent pool, the influx of potential cybersecurity workers can be greatly increased, and with the specified base knowledge & skills and a trajectory of development, companies can actively educate and steer employees in the direction the security market demand is looking. As they move their workforces through the different stages of knowledge and skill development, the workforce will reach a certain level of maturity, providing a real insight into the capabilities of the organization. Altogether, this framework should provide a jumpstart for the cybersecurity labor market and a solid attempt to reach an equilibrium between labor demand and supply. This is the first time this framework will be discussed in public, and the input from the audience will be anticipated and appreciated regarding the selected base knowledge and skills, and the suggested trajectories and maturity models. In general, the questions as mentioned in the bullets are suspected to generate a strong response from the audience.