Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:30 PM
James Hadley
James Hadley
Connect Directly
E-Mail vvv

To Narrow the Cyber Skills Gap with Attackers, Cut the Red Tape

Attackers are getting further ahead, and entrenched corporate rules shoulder much of the blame.

In recent years, the cyber skills gap between attackers and defenders has widened. Corporate security teams — their hands tied by budget constraints, box-ticking exercises, internal politics, and outdated training — are struggling to catch up. More than half of organizations now consider the shortage of adequately trained cybersecurity professionals to be a major problem.

Attackers, on the other hand, have no such problem. Unfettered by corporate issues, they operate in the type of purist environment in which technical talent thrives. They "learn by doing" — continually coming up with creative ideas to solve a problem, rewarding curiosity and perseverance, and encouraging innovation. Because of this, they remain steadfastly in the lead. While many companies talk about a need to address the cyber skills gap, few are challenging existing norms. The security sector is good at tearing up rule books, so it's about time this applied to skills development.

Deeply embedded legacy process lies at the heart of an organization's cyber skills gap. For example, HR teams typically are involved in the hiring of cyber talent. Not that this is wrong, but while filtering candidates, an absence of specialized technical knowledge is often compensated for by an overreliance on formal accreditations and certifications.

Although certifications do have relevance and carry weight, they can also exclude genuine talent. They rely on the person having the time and resources to undertake them in the first place, discounting those who don't have either or even possess the mindset to do structured courses in the first place. As many in the industry know, raw, unstructured talent often is the best.

To this point, skills gained through experience and creative thinking bring immeasurable depth to a security team. Much classroom-based training neglects this, using passive listen-and-learn methods that don't always appeal to the personality types of high-performing cybersecurity talent. The most effective cybersecurity professionals want to learn on the job. Naturally inquisitive, they prefer to take things apart and find out how they operate. This is a self-learned skill and it is deeply personal, not something that can be dictated.

An organization's internal people structures also stop the right skills getting to the right place. Rigid hierarchies enforced by subtle work politics still dominate security teams, meaning those responsible for specific areas are not always the best qualified but simply people with more time in the game. This is where such teams can learn from their foes. Attackers put more stock in the idea of a meritocracy. If someone is a better malware writer, they write malware — letting the expert social engineer worry about hooking people with a targeted phish.  

Speed of response — the main issue that dominates any cybersecurity countermeasure — is also the single biggest problem for any organization when it comes to closing the skills gap. If security skills are ever expected to keep up with those of an attacker, they must be updated as regularly and often as attacks change. This is not happening in the majority of cases. Malware morphs continuously, domains are generated randomly, and Web app attacks are dynamic, yet training happens the third Thursday in the last month of the quarter.

This factor is widening the gap between attack and defense more than any other factor. Current training approaches mean that the skills learned are often out of date by the time the person leaves the classroom. Cyber skills training needs to be continuous to be relevant. You wouldn't expect your technical defenses to operate on outdated threat intel, so why your human ones?

Here Are Some Steps to Cut Through the Red Tape

  • Look for demonstrable skills and experience rather than just formal qualifications.
  • Include a skills-based test as part of the recruitment process.
  • Ensure a cybersecurity professional — third party if necessary — is involved throughout the entire process.
  • Gamify training — story-driven wargames will allow teams and individuals to hone their skills in "real life" situations.
  • Base any training on real-time threat intelligence to assure greater preparedness.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.


James Hadley founded Immersive Labs in January 2017 after delivering GCHQ's cyber summer school. It was during these sessions he realized that passive, classroom-based learning doesn't suit the people, or pace, of cybersecurity. Not only did the content date quickly, its ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/22/2019 | 3:17:32 AM
The Offensive Security Model
This is one of the most re-hashed complaints in tech and for a reason.  Since the Nineties I've been working in tech and always sought out work where part of the interview process put me in front of a terminal.  Even the certifications I've obtained I leave off my resume because getting a job based off certs my last company footed the bill for means I didn't prove myself to the new employer.  Give the candidate a pile of parts and have them build a PC/server/laptop, install an OS, configure a network; break into the network.  Don't tell me what you've done, show me what you can do.

For InfoSec, just as in respected certs for Linux, the model must include partial book work and paper tests, but the majority has to be hands-on execution, proof of knowledge, or no cert.  Companies who want to obtain quality employees and keep them will adopt a similar model, including some of the recommendations in this article.  Implement an intensive hands-on interview process, "show me".  Implement a regular boot-camp with capture the flag (CTF) events to keep employees sharp; encourage gamification.

It's amazing how quickly the weak links are identified when your models become interactive - combative - and stop being passive.  If you're serious about your security and the integrity of your network, background checks and onsite hands-on proof of skill should be priority one, paper an afterthought.   
User Rank: Ninja
5/21/2019 | 3:43:39 PM
They are paper proving you passed a test.  In a sense, great but mostly not so much.  Experience in the field counts and that goes for ANY subject in ANY field.  Not all IT staff have the budget for a CIISP certification and similiar ones.  True that is the gold standard but not many exist and the skill gap needs to be filled.  i would encourage filling the gap and providing resources for knowing candidates to GET a degee relatively quickly and efficiently.  BTW - when I was a self-employed consultant some 5 years ago, knew nothing about malware and practical measures on backup saved a 501C3 museum from Cryptolocker.  I was doing it RIGHT WITHOUT KNOWING IT.  Restoration 98% within 3 hours.  Not bad.  So experience counts.  Read that Baltimore?  

Full disclosure - on September 11 my data center crashed 103 floors in the south tower and I got out of 101 of them by walking.  Relatively familiar by default with disaster recovery and business continuity planning. 
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-04
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the...
PUBLISHED: 2020-12-04
Out-of-bounds read issue in GT21 model of GOT2000 series (GT2107-WTBD all versions, GT2107-WTSD all versions, GT2104-RTBD all versions, GT2104-PMBD all versions, and GT2103-PMBD all versions), GS21 model of GOT series (GS2110-WTBD all versions and GS2107-WTBD all versions), and Tension Controller LE...
PUBLISHED: 2020-12-04
The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
PUBLISHED: 2020-12-04
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
PUBLISHED: 2020-12-04
An issue was discovered in SonicBOOM riscv-boom 3.0.0. For LR, it does not avoid acquiring a reservation in the case where a load translates successfully but still generates an exception.