It is hard to hire cyber-security experts. Hundred of thousands of experts are missing in the US and Europe. In this article I am going to share ideas to help solving that huge problem on how to get more experts and reduce the number of experts needed.
Why this lack
Few years ago looked like all the society decided to enter the Digital age and very quickly. We needed 50 years to bring electricity to more than 90% of the population and only 6 years to bring smartphones to most of our nations. Criminals just follow the trend and are becoming cyber-criminals. Even nations entered the Time of Cyber-war with some events that changed the cyber-security industry forever and raised the number of experts needed like stuxnext, wannacry
Another problem is, we can’t become a cyber-security expert in few weeks. Working in our industry needs a lot of skills and expertise. IT is complex with components from hardware to software, from telecommunication, networking to computing. So we need experts to understand all these layers of technology. And of course, we need them to be good when it is time to defend and attack IT systems. That makes harder to on board people as cyber-security experts.
How to involve more people in cybersecurity
Quickly the training market understood the opportunities to train people. And within 5 years, we saw people graduating from Universities with Cyber security degrees. But the fact is the focus was mainly made on new generations. We need to let older people to on board training. At around 40 years old, there are training to go to a new stage. So we should see how to hire people from others industries or at least from Computing and Networking and bring them to our own industries by building specific senior trainings. We need it, and there is money for training this kind of people.
But everything is not just about technology. Cyber-criminals bring problems not only on a technical side. The most common attack still remain basically phishing. To fight against that, we need other kind of non technical skills. In the US, I have found many cyber-security experts with degrees in marketing, communication. In some some consulting companies, I have seen up to 50% of the teams with not Tech degree. We have to go over our believes and let them solve some of the problems that this kind of experts can do.
Pré-jugés also limit the ability to hire more people. Arriving in the US, I was agreeably shocked by the diversity. By that I mean, I found cyber-security experts coming from Pakistan, India, Europe, South Latina, Africa and many ladies. I thought being French cyber security expert could be challenging in the US, but they did not care. After years some of the immigrants became US citizen and some of them even work on confidential defense projects. And that was a total different mindset in the Industry I knew in France. Let’s hire the best cyber-security experts wherever they come from.
How to reduce the needs of cyber-security experts
Cyber criminality is rising very quickly and we have to new ways to follow that, and only hire new people. The first thing we could do is bringing our cyber-security organizations, in companies, or sub-contractors to be more efficient. I know many cyber-security experts that are used to make basics tasks like translations, filling excel sheets. It is a waste of time and money regarding their knowledge and expertise. We can’t imagine a world of doctors’ whiteout nurses and sage femmes. We should follow that industry and have new kind of jobs that do not need a master degree.
Another way, we should investigate is how to use new technologies to bring automation. In the Silicon Valley, I found startups coming from all over the world finding solutions to their problems. Here are 2 things I found :
- reducing the numbers of people we need in SOC with AI and specifically machine learning.
- using innovative appliance focused on phishing and social engineering attacks.
The last thing might be obvious. I learnt both from Europe and US is the need to deploy quickly and to need less people to do the same job. So when companies decide which technology to use, they should consider how many people they will need to deploy and maintain. It must become a criteria to buy products and solutions.
Conclusion
To solve the lack of cyber-security experts, we should hire differently without préjugés, better use experts, focus on finding startup solutions and use solutions with low need of experts.
Teodor Chabin 