Cybersecurity is a complex issue and becoming more so as advances in technologies like AI, IoT botnets and crypto-viruses enter the arena. That increasing complexity is making it harder for organizations to find IT security professionals with the right cybersecurity skill set for their needs. A study conducted by the Center for Cyber Safety and Education and (ISC)² predicts the workforce shortage in the cybersecurity industry to hit 1.8 million by 2022. Cisco’s 2018 Cybersecurity Report found that lack of trained security personnel was the third largest challenge to organizations’ security.
Companies all have their unique mix of infrastructure, applications and devices, and finding people with the skills to support that unique environment can be challenging.
“It’s hard to find strong security pros that understand a comprehensive approach, because security is so vast and can’t be taught in a short time frame,” noted Scott Lambert, VP for ActiveIntelligence at Alert Logic, who was part of a panel discussion on cybersecurity.
In addition, Chief Information Security Officers (CISO) increasingly want employees who understand how IT and cybersecurity support the organization’s strategic business goals. Technology experts often lack that business knowledge.
“I want someone who can connect things back to the dollars and cents and understand the impact and risks of what they choose to prioritize or not prioritize,” said Lambert. He gave the example of an employee happy to have found and fixed several critical vulnerabilities, but failed to consider whether those vulnerabilities were critical from a business perspective. They might be in a little used test network, for instance, and a less critical vulnerability in a key business system was overlooked.
Also Read: Top 5 Cloud Data Security Threats in 2018
Business understanding becomes even more critical as security professionals move up the ladder. Jennifer Rathburn, partner with Foley & Lardner LLP legal firm and another panelist on the cybersecurity webcast, said that senior security professionals increasingly require knowledge of risk management and legal issues. “It is becoming more of a compliance function,” she noted. “A CISO isn’t doing technical security so much as strategizing about where the risks are.”
Certifications are also important to have on an IT security resume. Paul Mazzucco, TierPoint’s chief security officer, particularly likes the (ISC)2 Certified Information Systems Security Professional (CISSP) and the EC-Council’s Certified Ethical Hacker certification.
“CISSP gives you a lot of understanding of business security and is a well-rounded model; Certified Ethical Hacker (CEH), gives a good understanding of toolsets required to see what’s going on in the network, what to do when you’re starting a red team for incident response, or a blue team for forensics and so forth.”
“We see a lot of kids out of school who are hyper focused on one skill set that does one layer of network protection,” said Mazzucco. “It’s finding the Holy Grail when you get someone who’s gone through CISSP training and some next level testing on the business of security. The most valuable thing is understanding the business model around security.”
Organizations often turn to managed security service providers (MSSPs) like TierPoint to augment their internal cybersecurity skill set. Contact us to see how we can help.