If you are in charge of hiring cybersecurity professionals in your company and think that an alarming number of job candidates lack fundamental knowledge — and even more of them lack specialized knowledge — then you are not alone. In fact, you are in the overwhelming majority.
A new survey by research and training firm SANS has confirmed what you and other seasoned cybersecurity professionals have known for years: the cybersecurity skills shortage is a colossal crater that is growing larger by the day.
About the Survey
The SANS survey asked over 500 cybersecurity professionals working in 284 companies to identify the cybersecurity skills they find most important in job candidates. The top core competencies were:
- Networking
- Windows
- Linux
- Common Exploitation Techniques
- Computer Architectures and Virtualization
- Data and Cryptography
- Programming
Based on this list, the survey asked respondents to reveal the percent of job candidates who were unable to perform basic cybersecurity tasks, and the percent of job candidates who failed to demonstrate hands-on mastery.
Percent of Job Candidates Unable to Perform Basic Cybersecurity Tasks
- Common Exploitation Techniques: 66%
- Computer Architectures and Virtualization: 47%
- Networking: 46%
- Linux: 40%
- Programming: 32%
- Data and Cryptography: 30%
Percent of Job Candidates Unable to Demonstrate Hands-On Mastery
- Data and Cryptography: 98%
- Networking: 96%
- Common Exploitation Techniques: 95.5%
- Linux: 86%
- Programming: 89.5%
- Computer Architectures and Virtualization: 87.5%
It Truly Is a SKILLS Problem
The most illuminating aspect of this survey is that merely “throwing bodies” at the problem will not solve it — because the problem is not a matter of availability or interest. There are many people who eagerly want to get a job in the cybersecurity field. And why not? It pays well (and in some cases very well!), there are many challenges and opportunities to grow, and it can be very rewarding and fulfilling. Oh, and let’s not forget a little thing called ironclad job security (although as Devolutions’ VIP user Francois Fournier wisely pointed out in an article, sometimes being indispensable is a liability instead of an asset!).
So yes, there are plenty of job candidates out there who want to work in the cybersecurity field. But as the survey has shown, there are precious few qualified candidates who can hit the ground running and make an immediate contribution. In other words, it is not a people problem, but rather a SKILLED people problem.
Filling the Gap
And so, how should we go about filling the gap so that more people who apply for cybersecurity jobs have the fundamental and specialized skills they need? There is no easy answer or quick fix to this critically important question. However, Brian Krebs over at his must-read blog KrebsOnSecurity, has a few tips for aspiring cybersecurity professionals:
- Do not sit back and expect your employer to give you structured training like an interning doctor or articling lawyer. Get practical experience and learn by doing through setting up hacking labs, taking advantage of resources like purpose-built exploitation toolkits, and accessing a wide variety of online tutorials and videos.
- Do not underestimate the value of learning how to program. It will not only make you more attractive to potential employers, but it will also help you expand your knowledge as your career grows and you start to specialize. If the idea of learning how to code fills you with anxiety, then start with something relatively easy and familiar like basic command line tools on Linux.
- Get involved with other cybersecurity professionals through meetups, user groups, conferences, online forums, and so on. Do not hesitate to reach out for guidance. You will be pleasantly surprised at how willing most experienced cybersecurity professionals are to help. Just be patient, respectful, and humble — and then when you become a cybersecurity guru down the road, remember to pay it forward by guiding and mentoring newbies.
What’s Your View?
Please share your experience of hiring and/or managing cybersecurity professionals. Have you been blessed with capable and intelligent staff? Or has your experience been more like those who participated in the survey — i.e. you said to yourself, “wow, this person is nice, but they really don’t know enough about cybersecurity to work in the field!”
Also, what advice would you give to aspiring cybersecurity professionals? Are there any certifications or courses they should pursue? Any wisdom or warnings they should heed?