Regardless of the statistic you use, there is no doubt that there is a shortage of security professionals.
There is no stampede for new grads to become security experts, even though it is a financially rewarding career. We have to ask ourselves why this is the case.
- Is it difficult to learn the tech?
- Is the job just plain boring, as each day involves the same issues?
- Is the long term prognosis for career development not positive or promising?
- Do they not get respect from their peers?
The relatively few security experts today are moving from company to company for higher salaries. It is almost as if they are as mobile as a professional sports league.
At the entry level, there is no doubt that the technology is difficult to comprehend. It is not as if there are basic principles to master, as you would find in a standard engineering discipline. Cybersecurity requires “on the job” learning, especially since there are many different and esoteric ways security breaches occur. We need formal techniques to help build expertise. There are some good examples at both the college and industry level. Without more accessible opportunities such as these, true security proficiency will be hard to find at the entry level.
For many security analysts, the job is plain boring and repetitive. You tackle the same issues day in and day out, the same kinds of false positives, similar mistakes by employees, etc. The only way to get better is to build tools and processes, and, let’s face it, who enjoys writing process documents? There must be ways to make the role more interesting, productive and effective in order to attract and retain top talent. Analysts should not have to deal with false positives; the systems should automatically be able to deal with them! And we’re getting there; with newer solutions offering orchestration and automated response to help with reducing alerts.
From a career standpoint, if you are a developer, a product manager, a sales manger or a variety of other roles, you can become a leader, a CEO, or run a division. Unfortunate as it may be, there are not many great examples of a CISO leading a company. It may be possible, but the current statistics don’t demonstrate a trend. The CISO role is one of prevention, not growth. Those roles do not usually build charismatic leaders. Do you recall a good defensive-minded military commanders? Yes, you will need to exclude some of the best Vietnamese leaders.
Security teams believe users are the weakest link and employees think security teams are there to prevent them from doing their job. Neither side is right, but that is the perception. If security teams have the tools to help users figure out where they are making mistakes that could compromise security, it will go a long way in helping to build trust within the organization. Users will become more aware. Users will feel they have a role in security. That will also make the security team’s job easier and more fulfilling.
None of these problems are easy to solve. But they need to be addressed if we want to make security a strength, not a weakness. Embracing new technologies that help intelligently automate parts of security to provide overwhelmed security teams a hand is a start. But in the long run, bigger changes to security strategies will need to take place. Everyone in a company needs to be responsible for security, not just the CISO.