Earlier this month, I had the privilege to attend the IBM Security Summit in New York. Among the many great presenters and events during the day was a panel discussion on new and better ways to tackle the cybersecurity skills gap facing governments, industries and academia, and how a new collar approach can help.
The need for skilled cybersecurity talent is growing at an exponential rate, and traditional solutions can only address it in a linear manner. We’ve been working on this problem for years, with not enough progress.
Filling the Skills Gap With a New Collar Approach
The truth is we can’t outrun the skills gap. The panel explored some solutions to this challenge — namely, how we can educate and hire differently — looking at both the supply and demand side of the equation.
Shamla Naidoo, IBM’s vice president for IT risk and chief information security officer (CISO), hosted the panel. She was joined by Casey O’Brien, executive director and principal investigator at the National CyberWatch Center, an organization focused on education and research to improve the information security workforce. Pete Herzog, managing director of ISECOM, an open security research community and nonprofit organization, and founder of Hacker Highschool, also contributed to the discussion.
During the panel, IBM Security announced a new collaboration with Hacker Highschool. As part of the effort, IBM will provide guidance and tools for a new lesson focused on the skills needed for an entry-level security operation center (SOC) analyst.
What’s Working Today?
Naidoo tried to uncover what is working, what isn’t working and what industry is currently struggling with. She noted that cyber competitions seem to be making a dent in the skills gap. These competitions allow students to demonstrate their security knowledge and skills, both individually and collectively as a team. They also offer sponsoring companies, which often recruit directly from the competitions, an opportunity to see how students react in high-pressure situations.
Another idea that received applause was an increased focus on recruiting and retaining more woman in the field. This is a well-known problem in the IT industry in general, but it is particularly acute in cybersecurity. There is a long way to go, but shedding more light on the issue is a good first step.
What Can We Do Better?
Next, the panel turned to the supply side of the equation, discussing the fact that not every cybersecurity job opening needs to be filled by someone with a bachelor’s degree. Some roles just require someone with the right skills and aptitudes — the cornerstone of a new collar approach.
Security leaders can cast a wider net when recruiting and hiring staff members by tapping the mature network of community college cybersecurity programs, which have been evolving over the past 10 years. The panelists noted that the community college brand is not well-understood in the industry, and many security professionals harbor inaccurate preconceived notions about students and programs at these institutions.
The panel further emphasized that the community college space has produced valuable innovations around workforce development in recent years. Security leaders should draw from these untapped pools of not only younger recruits, but also mature professionals with applicable experience.
Nurturing Undervalued Professional Qualities
The panelists then discussed what kind of cybersecurity professional we should be developing. Given the volatility of the threat and technology landscapes, how can we future-proof the professionals we are educating?
The panel suggested infusing real-world experience into cybersecurity education, not just theoretical concepts. First and foremost, students must understand how things work. This aligns with the need to encourage resourcefulness in aspiring security professionals — that is, the ability to find and develop solutions on their own, despite the overwhelming volume of information available at their fingertips today.
Naidoo said she looks at security talent in IBM from two different perspectives: skills and experience, and natural ability. The right candidate has not one or the other, but a blend of both. Sometimes, she said, we focus too much skills and experience to the detriment of aptitude, which could be considered even more important.
Like the rest of the industry, Naidoo’s team has struggled to find and recruit security talent. She has a team of roughly 250 security professionals responsible for securing all of IBM. For her, it not just about the numbers — it’s about changing hiring and recruiting practices and revolutionizing the way her teams do their work.
Closing the Skills Gap
The panelists agreed that security leaders need to educate and train differently, develop new ways of working, and seek out new people and places to hire.
To start, we need to change our hiring and recruiting practices altogether. We must include people with military experience, community college degrees, liberal arts degrees and even aspiring security professionals with no degrees at all in our hiring searches. O’Brien mentioned that he had heard from a large defense contractor that some of its best red-team members are not engineers or coders, but actually music majors — specifically, composition majors.
Companies also need to bring their HR folks into the conversation and encourage them to work closely with the C-suite and those on the ground doing the work. Together, these parties should brainstorm new ways to identify talent.
It’s important to realize that enthusiasm, resourcefulness and curiosity are just as important as technical skills. Technical needs will evolve over time, but the fundamentals will always be the same. Security leaders should devise new ways to foster these intangible qualities.
Finally, don’t expect every potential hire to possess every technical skill under the sun. Naidoo builds teams of five to seven people with complementary skills so they can continue to work together when the environment shifts. An individual team member might be teaching one minute, then learning the next. With a new collar workforce, security teams can fight today’s threats more effectively and evolve along with the cybercrime and technology landscapes.