The Problem
According to a 2021 study conducted by (ISC)2, there is currently a workforce shortfall of qualified information-security staff of nearly 2.7 million globally. When coupled with the skyrocketing risk of compromise and data exfiltration in every corner of industry and government, executives are scrambling to close this gap and build meaningful security programs to protect their data, reputation, and ultimately, the viability of the organization itself.
The seemingly most daunting obstacle to overcome is finding skilled and experienced professionals who can slot right in and take on the challenges of a highly complex and ever-expanding landscape. The problem with this is that those unicorns likely are already part of another team running an established program. The truth is that there are few top-tier experts on the market at any given time, and they are scooped up almost immediately when they do become available.
There are only two types of companies: those that have been hacked and those that will be. ~Robert Mueller
What can be done?
While it is important to recruit and employ some exceptional resources to run a quality security program, it is equally crucial to recognize that many junior and entry level positions can be filled by great candidates that do not yet possess the broad and deep subject matter expertise in cyber security specifically. This article aims to debunk the notion that only highly experienced and technically exceptional analysts are necessary to staff a successful security program at any size.
Necessary Skills
So, if technical expertise is not the #1 priority, what skills should an organization look for in a candidate? While it can depend on the existing team culture and dynamic, there are some important skills and experience that can project the success of a candidate. While there is no universally specific order of priority in this list, your team will likely depend on some of these skills more than others. There is also no such thing as a full-stack security analyst, no matter what the industry may try to sell. So, finding every skill, while ideal, is not very likely. Perfection in cyber security is—as it is in all facets of our organizations—the enemy of done. And getting a qualified and motivated staff should be your top goal.
Critical Thinking
It may seem obvious, but in nearly 25 years in the IT space, I’ve met very few, if any, successful analysts that could not think beyond the numbers and evaluate things qualitatively. A colleague of mine that ran a major federal application development and security program for many years was very selective in his hiring methodology. When vetting candidates with little to no experience in application development, he would frequently favor those that had studied non-technical subjects, like history and English. His rationale was that he could train just about anyone with great critical thinking skills to write code, but it would be massively more difficult, time consuming, and expensive the other way around. This doesn’t mean that we ignore information security program alumni. It does, however, mean we must evaluate their ability to approach problems beyond the technology.
Written Communication
Like it or not (and most of us do not) report writing and documentation makes up an enormous amount of the work required in information security. Policies, procedures, security briefings, penetration test reports, tabletop exercises, and business plans must be written and maintained meticulously. And they must be meaningful to non-security personnel, especially leadership. It should be standard practice to request a writing sample from any candidate (regardless of their background). Like critical thinking, it is expensive (in terms of both time and money) to teach someone to write effectively and efficiently.
Creativity
It may sound a bit silly but understanding the hobbies of a candidate can go a long way toward recognizing creative thinking ability. Music, theater, writing (especially fiction), and even crafts like sewing or carpentry are good indicators that a candidate will have unique approaches to solving problems. This can be invaluable on a defensive security team, where analysts must learn to think like a bad actor. This can result in solutions and controls that no one else ever would have imagined. And that means a more secure environment.
Team Mentality
While there is a longstanding image of the cyber security analyst sitting in a dark room alone with 10 monitors and a massive pot of coffee on standby, the reality is that it has always been a team effort. As it is nearly impossible to find (or even train) anyone with every skill required to do the job, and because we cannot (or at least we really should not) expect a single individual to maintain a security program that must defend our organization 24/7/365, we must seek out candidates that are able and willing to work in a group setting. What does this really mean? First and foremost, analysts need to be able to ask for help—and they must reasonably expect that they will get it. It is a two-way street, and more experienced and knowledgeable staff must be willing to share their wisdom with newbies as well. Seek out those candidates who themselves are seeking a team-oriented environment and focus on the ones who will blend well with the personalities already on staff and help steer the culture toward continual learning and improvement through mentorship and curiosity.
Analytical Thinking
Just like critical thinking skills, the ability to think analytically is key to operating in a successful security program. And yes, while complementary, there is a great deal of difference between the two. While it is absolutely crucial to think outside the box, everyone must acknowledge that the box exists for a reason, and we need to solve for the issues that arise within the scope of the program. That means that your staff need to be able to recognize patterns and identify trends through systematic review of systems, logs, and documentation. The very first technical skill a security analyst should learn is the ability to recognize how a system is supposed to work. They must fully understand what normal looks like before going to find the anomalies.
Safety and Risk Management Orientation
Really good security analysts will always bring an (un)healthy dose of paranoia to the role. Since their job is to project your organization’s most vital resource, your information, they must first and foremost understand that there are bad actors who want to take it. Caution and risk awareness must be ingrained behavior, not just a skill to be learned. This is not to say that you must look for candidates with the inability to trust, but rather those with the sophistication to grasp the value of calculated risks and how to manage them.
Pitfalls and Gatekeeping
It is very easy to pass on piles of resumes that show no technical background or degrees. Ignoring technical skills and experience is a risky—and dangerous—path to travel when recruiting and hiring candidates that will be responsible for the most valuable commodity in our industry: data. However, gatekeeping in this manner has the potential to produce very unintended and potentially harmful results. First, it will eliminate many qualified candidates that are looking to shift careers. Everyone starts at zero when entering the workforce for the first time (even seasoned veterans of other industries). Do not look past candidates with the skills mentioned above simply to find someone with a lot of letters behind their name. Second, it will absolutely extend the time it takes to build a team of any skill level at all. The reality is that it will probably take longer to find the perfect candidate with all the requisite technical knowledge and experience to produce exceptional results than it would to find a motivated, qualified, non-technical candidate and train them in all the technical requirements for the job.
It will probably take longer to find the perfect candidate with all the requisite technical knowledge and experience to product exceptional results than it would to find a motivated, qualified, non-technical candidate and train them in all the technical requirements for the job.
The oft-repeated response to the current skills gap is to replace human resource needs with technology and automation. While that may sound like a great idea, there are some very important reasons why this is not necessarily the silver bullet we would like to have. First, remember that beyond technical skills, there are many “soft” skills we must hire for, as mentioned above. No matter what amazing new AI/ML toolset your inbox may be flooded with, there is still no machine capable of thinking truly critically. People are still far superior at making decisions than machines, based on complex and constantly changing requirements and situations. To expand on this a bit, the most successful attacks on organizations are carried out by human beings, not automated tools. This is not to say that there are not myriad technologies and tools available that can enhance a security program immensely. However, even with these tools, configuration and maintenance are still very human activities. And decisions will be made by people to act on incidents. Things that no automated tool can provide, such as suggested resource allocation, budgetary needs, and other technologies that may further improve the program. In every aspect of our organizations, technology should always be an enabler, and security is no different. Every new advance toward automation should be considered, and its overall value should be measured in how it truly enhances the processes and policies upon which the overall program is founded.
We Hired an Inexperienced Analyst…Now What?
There are really two key ingredients that need to be added to your newly minted—albeit a bit green—security analyst: training and mentorship.
Depending on their background, training may take different shapes, but this really boils down to technology training and certification training. What’s the difference? Most security certifications (unless they are vendor specific) are technology agnostic. While some specific technologies may be discussed and even examinable for things like CompTIA Security+ or (ISC)2 CISSP, these certifications are geared toward understanding the underlying concepts, processes, and best practices in the security space. Keep in mind that many of the more popular (and advanced) certifications also come with an experience requirement. CISSP, for instance, requires 5 years in two of the covered domains to achieve full certification. You can find some suggested training based on role and career path here. For technology-oriented training, it will depend entirely on your stack and what technology the analyst will be expected to leverage in their role. For example, if your organization uses AWS as its primary cloud infrastructure vendor, it would be critical for a new analyst to attend AWS cloud security training. There may be additional technical training that goes beyond security if an analyst has little to no technical background. Things like understanding basic networking and hardware are foundational to a successful program.
Mentorship is the piece that is often limited, avoided, or overlooked altogether. This goes back to the team-oriented mentality discussed earlier in this article. Providing a more experienced and knowledgeable mentor to new analysts is very important to developing not only their skills but also establishing confidence, and a sense of belonging that is vital to fostering an effective culture. If you do not have the internal resources to provide a mentor to every new analyst, there are resources available—and plenty of experienced analysts and experts willing—to establish a mentor/mentee relationship with those that are new to the industry. This should be an expected part of onboarding for any new analyst, whether the relationship is built within the organization or through a third party. The relationship should be monitored as well. The program manager should meet with mentors regularly to ensure that the mentee is maturing into their role. Timelines should not be set for this kind of relationship, however. Expecting everyone to develop at the exact same rate is stressful for everyone, and it will almost certainly lead to burnout for mentees, mentors, and ultimately prove detrimental to the team. That is not to say there should be no milestones or expectations. Meeting performance objectives is equally important when developing new resources. But bear in mind that some will pick up specific skills more quickly than others, and the sheer volume of knowledge to be gained in cyber security means you can use these differences in personalities to create a more diverse and, ultimately, effective program.
Parting Shot
When it comes to information security, many—if not most—organizations today are understaffed and underfunded. The landscape of this industry is growing and becoming more complex by the day, and successful attacks are increasing in number and frequency all the time. We currently do not have the numbers of true subject matter experts to fill this void. Seeking out intelligent, analytical, and motivated candidates that need training and mentorship should be the #1 priority for any organization that is struggling to keep up with the needs to staff and run an effective security program.