Like every other independent security consultant out there, I have to ask; “Cybersecurity skills gap? What the Hell are you talking about?”
I’m not even going to quote the plethora of doomsday statistics, but suffice to say the majority of organisations and Governments believe the cybersecurity skills gap is actually a real thing and getting worse. They have no idea that the experts to solve most security issues are out there with dumbfounded expressions thinking; “I’m sitting RIGHT here?!”
How can there be a shortage when I, a cybersecurity professional available for hire, am not overwhelmed with requests for help? How is it that EVERY cybersecurity consulting company in the world isn’t experiencing exponential growth? Why do I see cybersecurity practitioners all but begging for jobs on LinkedIn almost every day?
It can only be because those looking for help are simply looking in the wrong place, and here’s an example;
I was approached by a recruiter asking if I was interested in a 6 month ‘PCI project manager’ contract, 9 – 5 bum-on-seat, at £400/day. She was desperately trying to fill it because no matter what she did, no one was interested. She was wasting her time [and I think she knew it], but she didn’t know why she was having such a hard time.
So I told her:
- No PCI consultant worth their salt is going to accept a 9 – 5 gig for ANY length of time without knowing how the project was scoped in the first place. No details were provided, nor would they bother going through the process in order to get that information (see 5. below);
- An experienced consultant knows that 4 out of the 5 days a week would be wasted because the overwhelming majority of the work they need done will be performed by other people. All of whom have regular day jobs and other priorities;
- An experienced PCI practitioner knows that a 6 month deadline is a death sentence for any PCI project, given that it often takes at least half that time to get the client’s stakeholders properly up to speed (for all but the smallest organisations anyway);
- The vast majority of consultants with significant PCI experience already work for QSA companies; which segues perfectly into…
- £400 / day? Really? Any cybersecurity / PCI consultant desperate enough to accept this rate is so junior they would spend the first month trying [and likely failing] to find their own arse.
I then asked if her client was open to a conversation because even if they found someone to fill the role, they would need to hire someone else in 6 months to clean up the mess. Of course the answer was no (not her call), so that organisation is never going to get an appropriate solution to their problem.
And right there is the biggest problem with most organisation looking for cybersecurity experts; They have no idea what to ask for, so they end up with job descriptions / benefits package that will only appeal to those at the very beginning of their careers. If they appeal at all.
Here’s two scenario-analogies:
- You get sick, hire a NON-medical expert to find you a doctor, and limit the candidate pool to those fresh out of kindergarten; or
- You get sick, hire a trusted general practitioner to either diagnose and fix the problem, or refer you to a well-known specialist?
Here’s two more:
- You need a shed built, so you hire a non-builder to hire you a full-time contractor; or
- You need a shed built, so you hire a shed-builder to build you one
Just how much of this ‘skills shortage’ is due to organisations trying to hire a single full-time person when the vast majority of security involves a series of projects, each with its own distinct skills requirement? Or organisations writing their own job descriptions without any clear knowledge of the desired result, or even what security is? Or worse, they need security people to manage all of the technology they bought trying to make security go away?
There’s also no question in my mind that the security industry itself is adding fuel to the fire. From consultants trying to push their ‘virtual expert’ offerings, to vendors trying to sell you pieces of tin with promises to take out the ‘human element, a skills gap works very much in their favour.
All of that said, yes, there are definitely skills shortages in SOME areas of security, but it’s in an area no organisation thinks to look, and few security experts want to fill; fixing the real problem. The source of the apparent shortage.
True security is about the basics. From policies and standards, to risk management, to security awareness training, until you commit to doing security properly you’ll never find the right resources to fill the gaps.
If finding the right resource to solve your problem is complicated, you’re asking the wrong questions. If your candidates don’t make the solution to your problem sound simple, you’re asking the wrong people.
[If you liked this article, please share! Want more like it, subscribe!]