The Global Cybersecurity Workforce Gap Widens: What Are You Doing About It?

The bad news: the global cybersecurity workforce gap is widening. We're talking nearly 3 Million in the gap! The good news: there are a whole lot of people who want to break into the field. However, there are some challenges many of these people are facing. I'm posting a link to an article that discusses this: https://www.securitymagazine.com/articles/89496-global-cybersecurity-workforce-gap-reaches-293-million.

Is your company fully IT-staffed? Fully security and cybersecurity-staffed? What preparations are your company making to address this shortage? If your organization isn’t large enough for Blue Team/Red Team professionals, contract the job out on a semi-regular basis. There are now many organizations and professionals who will fulfill this function, and other similar functions. Additionally, do you perform risk analysis assessments, have you prepared disaster recovery contingency options, are you fully backed up and redundant? How often do you update your P&P? What about training and testing your staff? Do you research new tools and techniques, stay up to speed on current issues, test new concepts and ideas? Does your security leadership interact with others in the field, sharing and exchanging resources and information? If you answered No to any of these questions, why? Does that fact worry you? Perhaps it should…

For those of you wanting to break into the field, what steps are you taking? I actually get asked that question a lot by many people here on LinkedIn. It’s hard for me to always know how to effectively advise people on this. Some challenges are structural, some financial, some logistical, and more. When I first started exploring the field, it was a totally different world then. I got my first computer in 1982, sent my first email in 1985, got on my first BBS’s in 1988, migrated to the Web when it arrived on the scene. Meanwhile, like most people from that era, I had been influenced by the move “War Games.” I was intrigued by the stories of Captain Crunch and other phreakers, the saga of Kevin Mitnick and the reputation of Kevin Poulsen. It’s possible I may have started experimenting on my own. It was different back then. People hacked for two primary reasons: cred and knowledge. Cybercrime was never even dreamed up until much later. Those of you old enough to remember Spamford Wallace will recall the advent of spam, how much animosity there was out there, and the difficulty in containing it. I was the first that I know of to publicly publish all of Wallace’s IP addresses (over 100) and encourage people to use that information in whatever way they thought best. And while I enjoyed learning the UNIX OS and its various flavors over the years, as well as some other things along the way, and as much as I enjoyed – hypothetically – the prospect of accessing various systems to explore and learn, I also quickly learned there were some real negative real world consequences one could face if one went about things the wrong way. I started collecting hundreds of “in the wild” viruses and tested all of the major AV programs out there, publishing my results. I can remember when the first macro viruses were found. I can remember the horror people felt when it was reported that instead of dozens of new viruses coming out every day, there were now hundreds. Then thousands. And now we see where we’re at currently. I learned through doing, through trial and error, and through reading and research. I religiously read 2600 Magazine, among others. Visited sites like Cult of the Dead Cow. Learned tips, techniques, shared resources. And I’ve continued to do so throughout the years. Right now, I have two malware analysis books on my desk, a memory forensics book, a password/hash cracker book, two cryptography books, etc. Continuing education is always important.

I usually tell people to read and research as much as possible. There’s much more information out there now than when I was starting out. Also, there are numerous courses and certificates one can take or achieve. There are numerous educational sites out there offering classes in ethical hacking, Wireshark, Metasploit, reverse engineering, and the like. If you don’t know where to look, contact me. Additionally, there are numerous professional organizations one can join, most of which offer webinars, conferences, education of some sort, and credentialing. Several good ones include ISACA, ISSA, and ASIS. I encourage everyone to join professional organizations for many reasons, but the ones I mentioned are good for people getting going in the field. And while you’re at it, learn Kali Linux. You never know when it can come in handy.

If you’re trying to get a job in cybersecurity but you can’t because you need experience, which you lack (the ultimate Catch-22), consider trying to do some volunteer work. Quite often, small companies, nonprofit organizations, religious institutions, and others are grateful for someone who knows something, at least, helping them out with their IT and security infrastructure when many such places have a hard time finding the budget to go about it properly. And while you may not get paid, it’s legitimate real-world experience that you can put on your resume, as well as professional references, both of which should help you land a paying job.

There are a lot of people out there who know more and are better than me in the security and cybersecurity fields. Seek them out and solicit their advice. Many people are happy to help others. Meanwhile, read the article I posted and consider its words and implications. Those of you in North America (especially the US) know the difficulties being presented these days, both publicly and undisclosed. It’s a scary world and getting scarier by the day. I think the government may be doing some good things in the cyber field, and I think all of the branches have very solid cyber capabilities. And of course, the intelligence agencies are trying very hard, but we’re talking about A LOT of stuff, people, daily, nonstop, and it’s always react and play catchup, and it’s very hard to get out in front and, especially, to stay out in front. It often seems like a continually losing battle, and I engage with numerous dispirited people, and I get it, I truly do. But this is an ongoing battle/war that must be fought regardless. And to do this, we need the resources – in this case, trained and capable personnel.

(If you want to supplement this piece by leaving comments, thoughts, additional advice, etc., feel free to do so.)