Some of the [Many] Problems with Security Skills

Some of the problems with Security/Infosec/Insert whatever you want to call this industry here and the discussion around skills shortage plus realisation that the expectation vs reality on both sides of the fence needs to be reaffirmed.

Some of the [Many] Problems with Security Skills

More extended title; Some of the problems with Security/Infosec/Insert whatever you want to call this industry here and the discussion around skills shortage plus realisation that the expectation vs reality on both sides of the fence needs to be reaffirmed.

I usually publish technical blog posts, but this one will not be technical for once.

This blog post is my opinion about the skills shortage and the differing views between expectation and reality in the industry that is computer security(or cyber if you're new here). I originally started writing it in 2019 and it all started from a tweet ( it always does), simply asking if a 0% unemployment in Security was fact or fiction.

I picked this post back up in 2021 asking if there was a people or skills shortage and the overwhelming response was 'yes' there is a shortage of both folks with the correct skills and bodies to fill the roles; this has been expanding at a constant rate over the last few years.

So before diving in feet first, here is a shortlist of the current points that are discussed a lot surrounding the issue of shortage of skills in the security biz:

  • There is a people shortage and, to an extent, a skills shortage. No matter how you dress it up, it is an evolving market that is a small part of the bigger picture. IT and Security are a foundation of the modern world that will only continue to grow. Both are also still a very immature industry from a historic standpoint compared to other similar popular sectors like finance and business.
  • Many employers have differing views on candidates and are still stuck in an old fashioned mindset that you must be in an office or live in X location to do Y work. Thankfully the covid19 pandemic has changed that mindset amongst many companies many are opting to hire employees remotely around the globe.
  • There is a shortage of skills and bodies at all levels, not just new talent but as one of my ex-colleagues in the UK put: "There is a shortage in the top end of tester: Us senior folks who are comfortably sat with a good wage on our CHECK certs with exams based on ten year old vulnerabilities. Β There are lots of talented young people who just need the right opportunity." It's worth noting that it's not just folks who are young in age but also young in their career.
  • There are unrealistic ideologies between employers and candidates and the expectation that every single person that is to be hired must be from X or Y or must have X years experience in Y subject before they'll be considered.
  • There is also a shortage of folks in the roles that are needed to pave the way to bring new talent into the industry, not just doing the jobs but training the future generation to be better and adapt their skillsets to the different roles and challenges out there.

I asked the internet if there is indeed a skills shortage (twice):

Is there a skills shortage in Security?β€” π™°πš—πšπš’ (@ZephrFish) June 28, 2019

And after 434 votes, 3/4 said yes(on both occasions) there is indeed. Perfect, I thought, this argument is justified. Little did I know by posting the question I'd bitten off more than I could chew, queue hundreds of replies, DMs and E-Mails with everyone telling me their personal view on the way things are and how one area is lacking but another is not.

Differing Views

With all of that said, I set out to speak to lots of different people about their views on what the skills or people shortage really is and how we can work to improve it as a collective industry.

There is an overarching cybersecurity skills shortage, not just a shortage of pentesters. The deficit is across the board and affects all manner of industries because there are focused jobs that are 'cyber'; however, any IT position will involve some security exposure even if it is minimal. There was an IT skills shortage a while back, but now that industry is booming, the same shortage has been passed across to security.

Dialling down the measurement of the shortage depends on who you listen to, the collective governments define those in cyber across all industries. In contrast, the media generally represents those in cyber or more the shortage based on the number of open job requisites on forums, boards, job sites, etc.

Employers' Views

The biggest thing to come out of 2020 was an uptick in companies hiring, mainly due to many folks uncertain of their future and sitting in their current roles. This led to many openings being created, not only in the current job market but those starting their path into the industry. This continued to grow as educational institutions moved to teach remotely, leading to more folks coming through various schools. Thus, a more significant number of folks moved to start their journey.

So to answer the question on is there skills shortage? The main issue here from an employer perspective is that while the market may be flooded with bodies and skillsets at points in time, it's not the talent that everyone wants or the skill level required. More often than not, when seniors in a company leave, it is much harder to replace them than recruit folks for more entry-level positions. The other limiting factor that many companies overlook is internal training; if/when you lose a senior member of staff why not invest in your current staff to enrich their skillsets and train them up to a level where they can step up to the mark and start learning more?

New Candidates

The other factor that plays into a lot of employers' views on things is time to train and deliver(depending on the field). This is where new candidates can be a significant risk but often are good ones to take as by taking the risk of training someone up, they can potentially be prepared to pass their learned skills onto the next generation.

For a while, there was a massive skills shortage in specific security areas, so the university courses and self-study courses were geared towards offensive security to try and fill those gaps.

Again the market moves in waves, there is forever a shortage in the defensive sphere with not enough focus on the entry positions, many new candidates to the industry are all geared up for hacking or focused on pentesting with little thoughts given to the real heroes of this story(the blue team). So the skills shortage lies not just in one specific field but as I've stated earlier in multiple areas. The issues also stem from candidates focusing on pure security roles but often forgetting or not realising that security can be baked into many other roles and industries.


So, is there a skills shortage?

Yes and no...

There's no single solution for the many problems. Sadly, it is shared with a lack of understanding between all sides. We can collectively open up and help folks in all areas; if you are hiring, tell people and be more precise with what you are after; if the candidate does not have the required skills, offer training if it is feasible. If you are looking for jobs, try other areas, too, not just your focal point, as you will find your skillset is diverse and often, many paths lead to a fruitful career.