Entering 2019, cyber security risks have intensified, and the gap in cyber security talents has continued to increase. According to a report by PricewaterhouseCoopers, the network security talent gap in 2019 may reach 1.5 million. Such a large number is not only a challenge for the enterprise, it is even catching up with disaster. But apart from anxiety, everyone seems to have not found an effective way to solve this problem. People often think that the talent gap is caused by the lack of suitable talents. This may not be the case.
Status Quo of Network Security Talent Development
With reference to McAfee's research report on Australian cyber security practitioners, the current development of cyber security talents shows certain characteristics and trends:
Most interviewees have a consensus on the qualities that a good cybersecurity practitioner should possess. For example: explain technical concepts in an easy-to-understand manner; analytical skills; teamwork skills; good communication skills, etc. However, 27% of the respondents were unable to list a specific skill that a good cybersecurity practitioner must have. This shows that the industry's definition of the skills of qualified or excellent cybersecurity practitioners is not clear enough, and there is also a lack of precise definitions for truly diverse and excellent cybersecurity teams. This situation will actually affect the construction of a comprehensive and efficient network security team.
In addition, most cyber security practitioners (84% of the respondents) have an education degree above secondary school (49% of them are engineering or IT majors, communications or network security majors; and 49% have no network at all Security professional qualifications), only 16% of the respondents said they had worked in other industries or engaged in work unrelated to network security. Network security talent recruitment is limited to the industry and is not conducive to the diversified development of the industry. Today, with the rapid development of technology and industry, such a recruitment model may also bring potential limitations.
Most network security practitioners are involved in operations or management, while there are fewer practitioners involved in security strategy, security education or security consulting. This result actually reflects the current situation of domestic cyber security practitioners. The "Survey Report on the Status Quo of China's Information Security Practitioners" (2017) shows that the most lacking in the current cyber security field is strategic planning and architecture design talents. 34% of the respondents believe that they spend more than half of their time dealing with cybersecurity work; 57% of managers believe that recruiting employees is difficult, of which security operations personnel are the most difficult to find. These data show that many practitioners have misunderstood the cyber security responsibilities, mixed them with other work content, and even set limits on themselves, resulting in limited enterprise emergency response. This also sounded the alarm for enterprises: more automation technology products should be introduced to free employees from technology and emergency response, and devote themselves to strategic and holistic work.
Under the current situation, the number of people who specialize in network security or have experience in network security is indeed not enough to fill the gap. But for the demand side, real talents cannot be judged solely on the basis of experience, profession, certificates and other conditions. In the process of talent building, cybersecurity companies, in addition to mere recruitment and team expansion, can also consider using a variety of methods to stimulate the potential of internal employees, or allow potential talents in other industries to start cybersecurity careers and open up more paths for future development .
Alleviate the shortage of cyber security talents
1. Improve recruitment success rate
1. Expand recruitment channels
For companies, the first choice to fill the talent gap is to increase recruitment. But sometimes, simply increasing job demand or increasing salary and benefits cannot find ideal talents. Sometimes, it is necessary to expand recruitment channels to find more target groups. In addition to talents in computer science and scientific research institutes, other professions or communities can also be considered. In layman's terms, it means looking for what the industry calls folk power. Many white hat or vulnerability hunters usually use their spare time to get involved in network security. They may not be engaged in the cyber security industry and have a diverse range of professional or professional backgrounds, but they all have a strong interest in cyber security, are self-driven and good at learning. If you can find such a group of people and turn them into professionals, it will bring new perspectives, experience and ideas to the cyber security industry and enterprises, and provide more possibilities for resisting risks and fighting cybercriminals.
2. A reasonable description of job requirements
When many companies recruit, they have too many requirements for a position, which will make the applicants daunting. There are also some companies that only pay attention to requirements without showing the growth and harvest that the company can bring to their employees, and it is easy to lose some excellent seeds. Generally speaking, you can find professional writers to write recruitment articles. Good copy is half of the successful recruitment. Generally speaking, the job title must be accurate, the job description must be concise and focused, and the advantages and benefits of the company must be highlighted to attract talents.
3. Building an inclusive and diverse corporate culture
There have been reports that only 11% of network security practitioners are women. In addition, laymen’s incomprehension of the cybersecurity profession, racial inequality, unequal education, and salary gaps in the industry are also major challenges facing cybersecurity talent training.
Of course, the impact of these major environmental factors cannot be dealt with by individual companies on their own. However, companies can alleviate the shortage by increasing environmental and cultural diversity:
A. Cooperate with nearby higher education institutions to promote training projects and introduce fresh blood;
B. Establish internal policies to solve problems within the enterprise; eliminating prejudice and promoting equality are also very important;
C. When necessary, you can use local recruitment agencies to specifically look for talents from female groups or minority groups;
D. Set up a page on the company website to show the company's inclusiveness and diversity, such as successful recruitment cases, employee development and growth, and the company's contribution to the development of the industry.
Comparing the official websites of domestic and foreign network security companies, it can be seen that there are some differences between domestic and foreign network security companies at the cultural level and industry development level. On the one hand, foreign companies generally pay attention to the construction of corporate culture, and usually set up pages on the official website to display corporate culture, employee development and construction activities and cases, in order to promote talent recruitment and training, and establish a good corporate image. The same is true for many cybersecurity companies. Only some large domestic companies have noticed this. On the other hand, compared with foreign countries, domestic cybersecurity companies started and developed relatively late, paying more attention to core businesses such as technology and products, and have no time to systematically build corporate culture and establish corporate image. This step is usually considered after the company has matured. However, if the daily business is consciously and gradually built, it will help attract and cultivate talents. As the cyber security industry continues to mature, the inclusiveness and diversity of the entire industry (including reducing discrimination and promoting equality) will continue to increase.
2. Strengthen cyber security education and training
The security requirements of ordinary enterprises are generally divided into four categories: network security, terminal security, malware analysis, and encryption. In addition, there are multiple skills requirements such as threat tracing and emergency response (including network traffic analysis, malware reverse engineering, terminal detection, etc.). These skills cannot be mastered overnight, but when the number of professional talents cultivated by colleges and universities for many years is insufficient, ordinary employees can gradually be qualified for some basic network security tasks through project training, certification, and on-the-job accumulation and learning.
Specifically, cyber security education and training can be strengthened from the following three aspects to alleviate the shortage of cyber security talents:
1. School-enterprise cooperation to strengthen cybersecurity talent education
Companies can cooperate with colleges and universities, take part in curriculum setting, establish practice bases, carry out project cooperation, training certification, learning practice, training and promotion exchanges, etc. based on actual conditions. Cultivate network security talents with theoretical knowledge and practical experience from many aspects.
2. Training and certification
Nowadays, network security-related websites, articles, courses, etc. emerge in an endless stream, providing rich resources for the training and popularization of network security knowledge. At&T, Ernst & Young, PricewaterhouseCoopers and some domestic network security companies all provide security training and services. In addition, CISSP, CISP and other certificate certification exams also have a complete education and training process. These all help to train network security practitioners.
3. Safety awareness training
Safety awareness training for ordinary employees is also indispensable. Make employees aware of the importance of data security, and allow employees to abide by rules and operate rationally in the process of password setting, access authentication, intranet and extranet connections, mail sending and receiving, mobile office, etc., forming a good security atmosphere in the enterprise and helping to reduce security Risks, reduce the pressure on security personnel. We mentioned the specific content of this part in another article, and interested readers can click to view it . Kaspersky recently launched a security awareness training platform that focuses on automation and flexibility, which is very suitable for small businesses and can also be used as a reference.
Through appropriate training, it is even possible to develop talents from other industries into network security talents, such as criminal investigation police, game players, etc.... This can be practiced simultaneously with the expansion of recruitment channels mentioned above.
Four Questions and Four Answers to Network Security Talent Recruitment and Training
At the end of this article, I conclude with four questions about network security talent recruitment and training.
1. What kind of talent do we need?
According to the "Survey Report on the Status Quo of China's Information Security Practitioners" (2017), the most in short supply in my country's cyber security industry are strategic planning and architecture design talents. According to the "2017 Global Information Security Staff Research Report", the global cybersecurity industry is most in short supply for operations and security management, incident/threat management, and forensics talents.
Generally speaking, in addition to talents with network security knowledge and skills who can deal with security issues, expert talents with a global view and who can provide enterprise-level security solutions are the most aspired by the entire industry.
2. How to deliver talents to the industry?
In the cybersecurity education of colleges and universities, college teachers are not only lecturers and coaches, but also leaders. At different stages of the student's learning process, sort out the knowledge points that students need to learn at different stages, and teach students in accordance with their aptitude. For students majoring in network security, they can be demand-oriented, support multi-level competition work, and promote training through competitions. At the same time, we must also pay attention to safety and general education for students and ordinary people.
In the construction of security posts, enterprises are guided by market demand, reasonably set up the content of network security assurance work, and clarify the capability requirements of each post. Set indicators for different qualifications, establish practice standards, and cooperate with schools or training institutions, refer to qualification requirements and standards, and jointly cultivate talents with corresponding abilities.
3. How to make the entire industry more attractive?
Under the current situation, the entire network security industry has a bright future, and the government, enterprises, and the whole people are paying more attention to network security, which has also promoted the influence of the entire industry to a certain extent. Only by increasing the importance of network security within the enterprise and the entire industry can practitioners feel the value and meaning of their work. At the same time, allowing cyber security employees to reasonably participate in the company's business processes and understand business strategies, IT architecture, and security architecture will help the effective progress of security work. In addition, respecting the development and growth of in-service cybersecurity talents, providing training, providing continuing education support, providing clear promotion channels and a good working and learning atmosphere, etc., can not only improve the ability and enthusiasm of employees, but also better respond to the emergence of security Threatened. Of course, reasonable salary and benefits are also the key to enhancing attractiveness.
4. Did you find the right person? Are you using the right people?
In the cyber security industry, different jobs such as threat assessment, risk management, operation, and analysis correspond to different positions and have different skill requirements. To find suitable talents, it is necessary to clarify the responsibilities and requirements of each position. For example, if you want the safety operation center to function well, you need to find employees who understand both technology and emergency response, rather than employees who only understand risk. Because they not only need to know the threshold of risk, but also know the risk factors that can be mitigated or increased, and how to control the risk from a technical level. In other words, companies must clarify their specific needs for network security, clarify the role of the recruited talents, and establish a complete network security management system within the unit, in order to use the right people and use them well.
*Reference source: McAfee , pwc , cpomagazine, etc., please indicate that the reprint comes from FreeBuf.COM.