If you’re a security professional you’ve probably heard we’re going to be 2 million security professionals worldwide by 2017. At least that’s what speakers at the Digital Skills Committee at the House of Lords in London said recently. The basic thought is that we’re not training enough students to be security professionals and there is an increasing need for security professionals as we face further reliance on the Internet for banking, commerce and entertainment.
Add to these pressures the expansion of Internet enabled devices, the Internet of Things, and you can easily see a shortage of 2,000,000 professionals within the next two years. The only problem is, we may be underestimating the number really needed by a factor of 50-100%.
Finding the Right People
Ask anyone who’s tried to hire a qualified security professional within the last five years and you’ll hear a story about the difficulty of finding the right people. Finding the right skill and the right person, even for an entry level security role is difficult. And it only gets more painful when you’re looking for someone more experienced or with a specific skill set that’s in high demand. It drives up the salaries in the field, it causes longer search times for candidates and it basically sets unrealistic expectations for new people coming into the field.
But the real reason we’re likely to suffer an even higher deficit in security professionals is two-fold. First is the concept of technical debt, more specifically security debt. Security has been an add-on for decades, something that was either ignored or added as an afterthought, which has only really been changing in recent times. We haven’t put the resources necessary in place to properly protect many of our systems, and that security debt has been gathering interest silently in the background. As we start digging into these problems, it’s likely we’ll find they are much bigger than they appeared because past deficits will be revealed.
The second, closely related issue is a rising storm of issues in older software, which are creating a new norm in security vulnerabilities. If you work in security and haven’t lost sleep to Heartbleed, Shellshock, Poodle or the latest bug in Drupal, you should consider yourself very, very lucky. And as the industry starts looking deeper into the old software we all rely on, as researchers re-examine foundational code that makes the Internet run, we’re going to have more emergency patches issued and lose more sleep to responding to the fire drills. The stress caused by this increase in emergency class events means we can’t continue doing incident response as normal, we will need new processes, new communication channels, and, most importantly, more people to be involved so that we don’t burn out the few people we currently have.
Making it Work
Long term, education is one of the biggest solutions to the deficit of security professionals, but it’s not going to help us within the next two years. The reality is that it takes more than two years to get a degree created and running in any discipline and while there are quite a few schools who currently have a security curriculum, it’s simply not enough. And a degree doesn’t make a security professional; there’s a certain level of curiosity tempered by cynicism and disbelief of the status quo that are needed. There are any number of challenges a security professional faces in their career, but one of the underlying threads is that you have to be prepared to dig a little deeper than the data suggests on the surface.
Short term, what we really need is to work harder at making security an integral part of business practices. We’ve talked about this integration for years, but at all too many companies, it’s still just something that we play lip service to. There are islands of support in development groups or IT, but how many companies can really say they have a security practice that has supporters and integration everywhere from the CEO down to marketing and sales? If we can’t find new people to hire in the near future, we need to modify our processes and procedures to take advantage of the people we do have outside the security team. If your incident response plans don’t include marketing for communication, sales for explaining the issues to your customer and the CEO for making the tough calls, then there’s still work to do around integrating with the business.
Eventually, market pressures will increase the number of people choosing security as a career, but it’s not going to be quick and it’s not going to be in the next two years. In the meantime, it’s going to take leadership that can make the most of the resources we do have and reaching outside what we traditionally think of as the security team. And the front line security professionals of today are going to have to become the leaders of tomorrow to teach all the new people coming in from colleges and farther afield.