A simple cure for the cybersecurity skills shortage

An approach that has worked for centuries in all sorts of industries is just as applicable to the security field

There's a simple solution to the lack of skilled cybersecurity professionals. Which is not to say that it will be easy.

People constantly bemoan the dearth of skilled cybersecurity personnel, especially after a high-profile breach. And we hear a lot of proposals for fixing the problem: more certifications, more training, more research. All of these solutions amount to lobbying; they come from certification bodies, training companies and university researchers.

I don't deny that those proposed solutions are useful for improving some aspect of cybersecurity knowledge, skills and abilities. But taken all together, they won't give you a skilled practitioner. They won't even give you a competent practitioner. The best of these suggestions might be certification, but not all certifications are created equal. Certifications that require work experience are far superior to those that don't. Having extensive experience applying the knowledge embodied by the certification is the only way to demonstrate that you can provide expertise in securing an organization in practice.

Beyond certifications, though, experience is always the key in developing skilled security practitioners.

Many people would say that the National Security Agency, where I used to work, is the world's leader in cybersecurity, and has been for four decades. Given that reputation, it's interesting to think about how it came to occupy the pinnacle of cybersecurity competence.

The first thing that strikes me is that the NSA draws its staff from the same pool of personnel that's available to industry. Its potential employees don't have any unique knowledge, skills or abilities unavailable to private enterprises. What the NSA does is to hire people with appropriate backgrounds and skill sets and then build on those skills with on-the-job training and mentorship. It's that simple, but as I said, not necessarily easy.

This sort of thing is the normal practice in other industries. A new graduate with an architecture degree is not going to be hired to design a landmark building. Instead, he or she will work for years supporting a team of experienced architects, gradually taking on more responsibilities commensurate with his or her accumulating skills and experience. The same is true of engineers, and even of those in less prestigious professions, like plumbing. Why should we expect cybersecurity to be any different?

When I applied to the NSA, I had to take aptitude tests, which showed that I had high computer aptitude. I was offered a position in the Computer Systems Intern Program, where I had rotating job assignments in the computer field while attending various computer-related classes. Those classes were virtually the same as those taught at most colleges. My work assignments varied in responsibility, but that responsibility was always commensurate with my abilities. I was not looked to as an expert. Expertise takes time to develop and has little to do with the number of classes taken, certifications awarded or degrees attained.

My assignments involved programming, systems and network administration, cryptanalytic programming, database design and administration, white- and black-box software testing, and other functional roles. While none of those roles directly involved security per se, they all involved security when done properly.

The tactic that the NSA used was to add security skills, gained through experience, to competent individuals, rather than to take cybersecurity graduates and throw them into security matters with no experience. Even the highly accomplished NSA Tailored Access Operations unit was not staffed with people with degrees or certifications in cybersecurity, but with really smart IT professionals who understood the underlying technologies and were able to figure out how to exploit them.

When you look at the early experts in security, including those at the NSA, none was a formally trained security expert. They were either transplants from other areas of information technology, or they were considered to have exceptional ability and were mentored.

So when you look at the cybersecurity skills shortage, think about what is already working, at the NSA and in other industries: starting with capable people (even though their skill sets might be tangential) and having them apprentice under skilled people.

This approach takes time, effort and money. It's not easy. It is, however, what actually works.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityeducationtrainingIT managementindustry verticalsEducation/Training

More about Internet Security Advisors GroupNational Security AgencyNSATopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts