June 22, 2018 By Martin McKeay 5 min read

Chief information security officers (CISOs) across the globe have long lamented the fact that so many job applicants lack the security skills they need to fill crucial security positions.

Put bluntly: IT leaders have simply failed to create a pipeline of new professionals over the last 20 years. We’re now starting to pay the price as the threat landscape rapidly expands and information security becomes part of everyday life.

So, what can we do about it now? Our best bet is to train our own replacements.

Why You Can’t Teach Passion for Security

Think about the types of people who view security as a potential career. Many of us got into the field because it seemed like the only choice we had. We pursued a career in security because we were curious and adventurous — and we couldn’t stop thinking about it. Most first-generation security professionals champion this mindset, and many contemporary professionals do as well (especially our best researchers).

There’s another group of security professionals who simply view security as a job and leave it at the office when they go home at the end of the day. This type of thinking isn’t exclusive to security. Most industries are made up of people who simply want to perform their jobs and concentrate on other things after hours.

This is the stabilizing factor that takes an industry from a fringe element to a core part of the organization: No matter what career path you choose, a small number of people will view their job as a passion and a large number will just want to make a living.

Why is this relevant to the daunting task of training of new security professionals? Creating the next generation of security professionals is hard work — and we’re not really prepared. The thinkers (i.e., the passionate, seasoned professionals who’ve been in the industry for decades) often expect new employees to share the same love of security and the same depth of experience we had at their age. But that’s not a realistic expectation.

Like many parents, I recently watched one of my children walk across a stage and accept his high school diploma, alongside 1,000 of his peers. He’s headed off to college in the fall with the bare minimum of skills he needs to perform the basic functions of life — aiming to learn enough to take him to the next step. But that’s all a college degree will be for him: a next step.

For better or worse, college doesn’t truly prepare students for the real world. It presents them with a wealth of knowledge, some secondhand experience and — if they’re very lucky — a little bit of real-world experience. It does not give them all the tools they need to perform in real situations that are messy, unbounded and complex. It takes the scars of making mistakes (and learning from those mistakes) to transform knowledge into wisdom.

Grow Security Skills From Within

So, how can CISOs alleviate the skills shortage we face in the security industry? In the short term, there really isn’t a solution. We have to admit that colleges will rarely be able to deliver candidates who are capable of dealing with the complexity of security from day one. Then again, very few industries expect that out of college graduates. An automobile manufacturer wouldn’t hire a newly minted electrical engineer and expect him or her to design a wiring harness for the next model of its car, for example. The company would start the new employee small, nurture him or her, gradually increasing responsibility over time.

I see two viable approaches to growing talented security professionals — and neither works overnight. The first is to hire talented people in junior roles and train them up over time to be senior security professionals. The second is to hire talented people from adjacent professions and train them to develop the skills and thought processes security professionals need in their daily lives. Of course, neither is a quick solution to our pipeline problem.

There’s an old joke that goes, “What if we train our people and they leave for better jobs? But then again, what if we don’t train them and they stay?”

In some ways, this is a false dilemma because employees of all stripes have long valued opportunities for professional development. Well-treated and well-trained employees are more likely to be loyal to a company than they are to leave. The flip side of the equation is that job roles, responsibility and pay all have to grow along with the employee’s skill level. Security is a dynamic field and employees will not be happy if their skill level has grown, but their job hasn’t.

Use Knowledge Transfer to Your Advantage

Training doesn’t have to come in the form of a college course or trip to a big hacker conference. Employee-led training on a regular basis has the dual benefit of allowing senior staff to show off their skills while also transferring those same skills to junior employees. While it may take a little push to get into the habit, a weekly or semiweekly discussion of topics can raise the base knowledge level of the entire team, especially if real-world examples are included in the training.

Hiring from adjacent fields of expertise makes for some interesting knowledge transfer. As an example, there’s always a need in security for people to write — and it’s easier to teach someone about security than it is to teach a security professional to write. Pairing a good writer with a senior security professional lets them both learn new skills. It only makes sense to extend that same pattern to other types of roles in security.

One of the biggest intersections of hard-to-hire careers right now is security and data science. There simply aren’t enough people in the world who are highly skilled at both disciplines, and the salary they can command places them outside the reach of most organizations. As a result, the only option for many companies is to hire a candidate with one skill and train him or her in the other.

Pay Off Technical Debt Through Security Training

We are in a state of deep technical debt in security, and there’s no hiding it. Almost all of the threats our peers were warning management about a decade ago are now the realities we face on a daily basis. Because security wasn’t seen as essential — and because the pipeline wasn’t created in colleges and universities — we’re facing a hiring shortage today. Perhaps most importantly, since no education can prepare a student for the real world, training is our only option to fix the problem.

Only a few organizations can afford to pay the salaries required to hire the top talent in our field. The rest of us need to train people internally and help our new hires develop the skills we need them to have. Using training and promotion as an incentive to hire and retain employees seems to be a logical solution — even if it’s going to take long-term planning to make it effective.

Read the IBM Institute of Business Value report: Addressing the Skills Gap with a New Collar Approach

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today