In recent years, the cyber skills gap between attackers and defenders has widened. Corporate security teams — their hands tied by budget constraints, box-ticking exercises, internal politics, and outdated training — are struggling to catch up. More than half of organizations now consider the shortage of adequately trained cybersecurity professionals to be a major problem.
Attackers, on the other hand, have no such problem. Unfettered by corporate issues, they operate in the type of purist environment in which technical talent thrives. They "learn by doing" — continually coming up with creative ideas to solve a problem, rewarding curiosity and perseverance, and encouraging innovation. Because of this, they remain steadfastly in the lead. While many companies talk about a need to address the cyber skills gap, few are challenging existing norms. The security sector is good at tearing up rule books, so it's about time this applied to skills development.
Deeply embedded legacy process lies at the heart of an organization's cyber skills gap. For example, HR teams typically are involved in the hiring of cyber talent. Not that this is wrong, but while filtering candidates, an absence of specialized technical knowledge is often compensated for by an overreliance on formal accreditations and certifications.
Although certifications do have relevance and carry weight, they can also exclude genuine talent. They rely on the person having the time and resources to undertake them in the first place, discounting those who don't have either or even possess the mindset to do structured courses in the first place. As many in the industry know, raw, unstructured talent often is the best.
To this point, skills gained through experience and creative thinking bring immeasurable depth to a security team. Much classroom-based training neglects this, using passive listen-and-learn methods that don't always appeal to the personality types of high-performing cybersecurity talent. The most effective cybersecurity professionals want to learn on the job. Naturally inquisitive, they prefer to take things apart and find out how they operate. This is a self-learned skill and it is deeply personal, not something that can be dictated.
An organization's internal people structures also stop the right skills getting to the right place. Rigid hierarchies enforced by subtle work politics still dominate security teams, meaning those responsible for specific areas are not always the best qualified but simply people with more time in the game. This is where such teams can learn from their foes. Attackers put more stock in the idea of a meritocracy. If someone is a better malware writer, they write malware — letting the expert social engineer worry about hooking people with a targeted phish.
Speed of response — the main issue that dominates any cybersecurity countermeasure — is also the single biggest problem for any organization when it comes to closing the skills gap. If security skills are ever expected to keep up with those of an attacker, they must be updated as regularly and often as attacks change. This is not happening in the majority of cases. Malware morphs continuously, domains are generated randomly, and Web app attacks are dynamic, yet training happens the third Thursday in the last month of the quarter.
This factor is widening the gap between attack and defense more than any other factor. Current training approaches mean that the skills learned are often out of date by the time the person leaves the classroom. Cyber skills training needs to be continuous to be relevant. You wouldn't expect your technical defenses to operate on outdated threat intel, so why your human ones?
Here Are Some Steps to Cut Through the Red Tape
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.
James Hadley founded Immersive Labs in January 2017 after delivering GCHQ's cyber summer school. It was during these sessions he realized that passive, classroom-based learning doesn't suit the people, or pace, of cybersecurity. Not only did the content date quickly, its ... View Full Bio