Exact matches only
Search in title
Search in content
Search in comments
Search in excerpt
Search in posts
Search in pages
Search in groups
Search in users
Search in forums
Filter by Categories
Banking Security
Compliance
Cyber Attacks
Cyber Defence
Cyber War
Cyberbullying
Cybersecurity jobs
Data Privacy
Government
IT Governance
Joomla
List of Archives
Mobile Security
Ransomware
Scams
Security Awareness
Security Events and Seminars
Security Reports
Security Risk
Vulnerabilities
Web Defacement
Wordpress Vulnerability
There isn’t a cybersecurity skills gap
cio

“You’re being conned. There’s no such thing. It doesn’t exist,” says Rik Ferguson, vice president for security research at Trend Micro. He’s talking about the much-discussed skills shortage in the cybersecurity sector.

You’ve heard it before, right? There’s a million unfilled cybersecurity jobs globally today, and there’ll be many more in the future.

Ferguson was speaking at the national conference of the Australian Information Security Association (AISA) national conference in Sydney on Wednesday. He sees it very differently, and he makes a solid argument.

“The problem is too many organisations are busy hiring pieces of paper, and not busy enough hiring people,” Ferguson said.

There’s no point listing a Masters degree in cybersecurity as one of your job requirements. Such qualifications were rare until relatively recently, and even then they were called something else, or the skills you’re really wanting were buried as part of another course.

Ferguson himself did a Bachelor of Arts in French, and then spent 14 years working an IT support desk.

“That’s enough to build a career on,” he said.

“You should be looking more for people, and soft skills within those people, and the character of someone who’s going to be good at analysis [and] problem solving. Those are the kind of things you want in cyber. You want tenacity and stubbornness. You want someone who continually questions. You want someone capable of parallel thinking. Someone [who is good at] sorting through details.

“You don’t need to make sure they have the right certifications and the right pieces of paper. They can learn that on the job. You should even be sponsoring to do those courses and learn those skills on the job. That’s part of the reward for offering your effort as an employee.

“I knew I was going to harangue you at some point.”

ZDNet heard similar sentiments out on the conference floor, although perhaps expressed less bluntly.

One senior security executive complained of an major organisation with too great a focus on qualifications — ironically seeing a masters degree as a threat, because he might out-qualify his potential future boss.

Take one young Australian hacker, Nathaniel Wakelam, with no qualifications whatsoever but plenty of persistence, who at age 20 managed to make AU$250,000 in bug bounties in just six months. In the radio documentary where he was interviewed, Bugcrowd founder Casey Ellis told the Australian Broadcasting Corporation that Wakelam’s story wasn’t all that unusual.

More recently, Australian government agencies have also been hiring people rather than qualifications, though that’s been forced upon them by their own specific needs.

A number of sources in Canberra, or with familiarity with the intelligence community, have told ZDNet that increased demand for the positive vetting (PV) process to clear employees for the more secret work across all agencies has blown out processing times to an average of 18 months.

That clock starts when all of the potential employee’s documents have been received, which means that in practice the time between advertising a position and getting a person between chair and keyboard is around two years.

That doesn’t help government agencies with significantly increased budgets and workloads, and a need for skilled people. Some, therefore, have started recruiting people who already have PV and the right character, and giving them a crash course in the cybers.

This isn’t actually a new problem in the IT industry.

For decades, recruiters have looked for employees with five years experience in technologies that have only existed for five years. It’s no surprise that they’ve had trouble finding staff who’ve been working on technologies since they were nothing but an initial blip on Gartner’s Hype Cycle.

The idea of training an organisation’s exiting staff, people who already understand what the organisation does and how they do it, doesn’t occur to recruiters. Well they don’t get a fee for that, do they.

Who they should be looking for, though, are people who are proven to be quick learners. We all know these men and women. They’re the ones who can fire up a new control panel, maybe skim the documentation, and be working with it by the end of day one.

They may have qualifications in computer science, or software engineering, or networking, or whatever. But they’re just as likely to “just” have a broad background in tech, and “just” know how stuff is built.

The one saving grace is that organisations with a check-the-box attitude to recruitment probably also have a check-the-box compliance-based attitude to cybersecurity. You probably didn’t want to work there in the first place.

They’re probably also the kind of organisation that’ll suffer a massive, embarrassing data breach, and blame you for it. Cross that one off your list, and move on.

Source: http://www.zdnet.com/article/there-isnt-a-cybersecurity-skills-gap-rik-ferguson/


  • Kevin

    interesting school of thought. If only more companies looked outside the industry as well. Rik didn’t start with the right credentials or certifications but was given an opportunity…and look how far he’s come!

    • Francis L

      Agree, but well, in Singapore certifications and degrees come first. So a person is hired because of his/her credentials but her skills are not being tested out. I guess there’s a need to ensure the right person is being hired, esp in this cybersecurity industry.

      • Kevin

        We’re talking about disruptions, new tech/threats and DDoS almost everyday now and yet, the hiring process remains archaic…no wonder the skills gap remains and will continue … sigh

  • Phil T

    Interesting article. Companies should read this article. Ive seen many job postings state certain certifications reqt. This pretty much eliminates potentials from getting into cyber security. While it’s good to have necessary experiences and certs when hiring, companies should not limit their search on these only. They must be willing to take professionals who are genuinely interested to do the job but may not have the nbr of years of experience in security yet. Giving fair opportunity and character assessment are keys to address the shortage rather then concentrating on paper qualifications. Otherwise, chances are we will only see companies hiring foreign talents.