The Cybersecurity Skills Gap: Is it Real?
One of the most pervasive bugbears in the information security community is the cybersecurity skills gap, the idea that the field needs both more and better cybersecurity specialists. Often the skills gap is presented as a threat to profits, national security, and market stability. To some extent, we agree—there is a problem with security hiring and staffing. Most of the time, however, this problem is formulated only in terms of a lack of skilled applicants. Here is where the skills gap doesn’t pass the gut check, based on the cumulative century of security experience that F5 Labs brings to bear.
The cybersecurity skills gap is not merely a problem with supply, but also with demand. The security industry is partially responsible for creating this problem through a combination of the tragedy of the commons, extraordinarily vague needs, and unrealistic expectations. Furthermore, in our experience, the myopia in cybersecurity hiring is not just hard on candidates. It is a big part of why cybersecurity itself is becoming simultaneously harder and less well defined.
Defining the Cybersecurity Skills Gap
We have our own opinions on the most important skills and perspectives in cybersecurity, but first we want to try to pin down the staffing problem.
How Much Cybersecurity Expert Can I Get for $20K?
Some of the problems around security hiring mirror broader staffing issues: everyone wants a finished product, but nobody wants to pay market rate. We often hear an argument like “I don’t have time to train someone, I have to mitigate these threats tonight!” While we have been there and can appreciate the sentiment, the fact that we have yet to find an equilibrium between candidate supply and demand indicates that we might not be formulating or pricing the problem correctly. If everyone always holds out for the complete package, nobody will ever get the complete package.
If everyone always holds out for the complete package, nobody will ever get the complete package.
What Is Cybersecurity, Anyway?
Another issue in our field is that many organizations seem to build security staffing requirements around a bachelor’s degree in computer science. It is possible that this was a good strategy once, but computer science degrees and security are increasingly mismatched, for several reasons. Most people in computer science programs want to write software. Furthermore, most computer science programs offer little material on security. This is partly because there is so much other material to cover, and partly because security knowledge isn’t yet a big part of the development careers that follow. DevSecOps continues to hold promise, and developers may, in time, begin to know and care about security, but we aren’t there yet. Our own intern, Katie Newbold, is a skilled coder with a bright career in front of her, but when she came to us, many basic security principles were new to her.
It’s clear that security is computer science-adjacent at best, in terms of both the body of knowledge and daily behaviors. A computer science graduate coming into security will not only have learned a lot of unnecessary information, but they will also have a lot of catching up to do. If nobody recognizes these gaps for what they are, the candidate can appear untalented or unmotivated.
Which Cybersecurity Are We Talking About?
Another problem is that security itself is a poorly defined body of knowledge. There are so many different skill sets that even veteran security experts often don’t see eye to eye about what a security professional should know and do. Our field encompasses such subdomains as malware analysis, penetration testing, code review, forensics, threat intelligence, risk assessment, compliance, cryptography, network monitoring, and incident response. It requires understanding of other domains, including software development, application architecture, information architecture, data visualization, law, basic business principles, and effective communication. It occasionally requires knowledge from fields like geopolitics, global economics, counterterrorism, behavioral psychology, and statistical methods.
No institution can effectively cover all of this in one shot, and the needs of a given organization will also be determined by its strategy, security architecture, and the hiring manager’s perspective. This means that even experienced people need to be willing to humble themselves and constantly gain new skills.
Thus, the degrees that tend to get hired in the field aren’t a great match, and the field itself is so resistant to categorization that only lifelong learners can write their own tickets. However, one thing marks the kinds of people who go on to do well in the field, and that is fundamental interest in the idea of security. If people have that, we can teach the rest. For that reason, we think that rather than looking for turnkey candidates, it’s better to cultivate the practical skill set among people who self-select as interested.
It’s Better to Grow Your Own Cybersecurity Experts
It can feel like a gamble to invest in unskilled but motivated candidates. It would be great if you could get a security genius off the shelf, but both the history and the direction of the field indicate the need to cultivate rather than purchase. The key to this is to test for passion first. For cybersecurity professionals, continual learning is part of the job. If they aren’t curious and motivated to do this, don’t bother going further. It will be a waste of their time and yours.
Conversely, if you find someone drawn to the field, then training them is a win for everyone—for you, for them, and for the organization. These people will go on to be more effective and significantly cheaper than the alternatives. We also need to emphasize that, in our experience, many of the best candidates will be from nontraditional backgrounds, and not just computer science students—self-taught, passionate hobbyists and code-school candidates have frequently shown themselves to be willing and able to learn and excel in our field.
Next: Care and Feeding of Your Future Expert
The commitment to cultivating raw talent into expertise is obviously a long-term one. Since these kinds of candidates don’t have the formal knowledge yet, they are going to need training and guidance in the beginning. With that in mind, part 2 on this topic will break down some of the most foundational cybersecurity skills. That way, organizations and newcomers to the field can plot their own trajectories and become the kind of defender that organizations really need.