C-level briefing: The skills shortage in cyber security is a big problem, but what can be done about it?
Alongside the actual threats, the skills shortage is one of the big issues keeping cyber security professionals up at night.
Research by Enterprise Security Group (ESG) suggests that 46 percent of organisations say that they have a ‘problematic’ shortage of cyber security skills in 2016, up from 28 percent the previous year.
In the 2002 biographical film Catch Me If You Can starring Tom Hanks and Leonardo DiCaprio, the film ends with fraudster Frank Abagnale taking a job with the anti-fraud agency that has been hunting him for years.
Could the cyber security skills shortage be sorted out in the same way? According to KPMG research from November 2014, surveying IT and HR professionals, over half would consider hiring a hacker or someone with a criminal record.
A 2016 report by SecureData said that 34 percent of businesses would have no problems hiring an ex-hacker to compensate for a lack of skills.
But talk to people in the industry who are responsible for hiring skilled security staff and they are less enthused.
“It’s a really difficult issue and the truth is it has to be case-by-case,” says James Lyne, global head of security research at the security firm Sophos.
“We have rehabilitation laws because people make mistakes.
“Equally, imagine if you hire someone who has been known to hack and has maybe compromised some systems and you put them in the position where they could run code across the NHS. If something goes wrong that leads back to them, how could you possibly defend that you made the right decision?”
The issue is a particularly important one to Lyne, who says that a job in cyber security prevented him from going over to the dark side of the industry.
“I was quite lucky. I got a bit of a tap on the shoulder from a local company who at the right point in my life directed me towards the fact that these security skills could be applied to good. You could have a career in this and make money without having to look over your shoulder constantly.”
Lyne says that he, like many other young teenagers experimenting with hacking, didn’t necessarily have a “strongly developed moral compass”, and says that if he hadn’t been approached he could have gone in the wrong direction.
However, while Lyne believes in criminals having the chance to escape their past, for the reasons stated above he claims that it is highly difficult for organisations to put their skills to good use.
“People often ask if the best people to work in the labs are ex-malware authors. Actually, no. The skills to do reverse engineering and block malware as a defender are pretty radically different to the ones used to write malware. I’d actually argue harder.
“Of course, having offensive skills is important, but it doesn’t necessarily follow that that is the prime talent pool.”
Lyne is keen for the intervention to be made earlier with many young hackers, as it was with him.
“If you are interested in this kind of stuff, stop, pause, think about the future and recognise that there is a profession here where you can put those skills to good use, make the internet a safer place, make good money and not have to worry about being arrested at any moment by law enforcement.”
With this theme in mind, Lyne strongly supports schemes like the UK Cyber Security Challenge, in which children are given the opportunity to flex their hacking muscles in a controlled environment rather than wreak havoc upon businesses.
“The path to getting into security is too populated by luck, with a lack of clarity. There is too small a number of internships.
“Across the board from academia to government and industry, this has got to go better. Otherwise we’ll be talking about a cyber security skills gap that is much bigger than the one we have now.”
Who could become a potential cyber security expert? Almost anyone, according to Lyne.
“We’re talking about a number of different skills there. There were plenty of people that studied computer science, that learned to programme, that got bitten by the bug of reverse engineering and exploit development. There are just as many people who don’t fit that mould.”
He cites, for example, a member of his team who was formerly a chef but became interested in cyber security as a hobby.
“The traditional paths to this industry should be bolstered. We need more people doing computer science.
“But companies also need to broaden their horizons for people with these skills.”