There is a severe shortage of information security professionals, and leading industry experts say it's only getting worse.
Word among attendees at this month's Black Hat USA 2014 conference -- the largest security conference in North America -- was that there are more jobs in cybersecurity than people to fill them.
It's a business where having a pedigree can actually have you considered to be less qualified, and being unhirable by traditional standards is… almost desirable.
James Arlen, Leviathan Security Group’s Senior Security Consultant, was one of many walking around the conference asking "anyone and everyone" to throw resumes his way.
"I think I counted over 50 'We’re Hiring' or 'Talk to me about a job' signs," he said.
In conversations throughout the conference, the seasoned researcher discovered quite quickly that his wasn't the only company on an aggressive hunt for hackers to plug infosec's talent gaps.
He told ZDNet, "The most entertaining of these was the effort by Nike to attract talent at Black Hat."
"For every request I made to help fill empty slots on my team, I was asked if I was looking to make a move to a 'better' position," the consultant added.
For a sector whose growth is incomprehensibly fast to outsiders, the escalating hiring crisis seems counterintuitive. But in this painful moment in infosec, calling it a crisis seems a gross underestimation of the problem.
In January, the 2014 Cisco Annual Security Report (CASR) projected a 500,000 to 1,000,000 person global shortage in the number of IT security professionals that public and private sector organizations will need to cope with the security challenges of the foreseeable future.
“Cisco’s number is the highest estimate of the security-skills problem,” explained eWeek in its June writeup on the worsening impact of the Internet of Things on infosec’s hiring crisis.
"James Gosler," eWeek continued, "a cyber-security specialist who worked at the Central Intelligence Agency, has argued that the United States needs some 30,000 technical cybersecurity workers, essentially hackers."
Meanwhile, the International Information Systems Security Certification Consortium has calculated that more than 300,000 cyber-security professionals are needed to maintain and manage business systems.
Arlen thinks a big part of the domestic problem are the bureaucratic roadblocks to hiring talent outside borders.
He said, "The need within the U.S. cannot be met by domestic talent."
Leviathan's security honcho attributes the widening gaps to a long overdue need for changes to foreign worker status, namely employment-based immigration visas.
The two lowest friction methods to get talent from outside the US – TN Status (NAFTA) and H1-B – are still significant barriers to acquiring talent either from Canada or the rest of the world.
And of course, there’s the curious conflation of citizenship with loyalty… many security positions require clearance of one type or another and therefore must be filled by US Citizens only – foreign nationals, even of allied countries (even Canada!) are not welcome.
Structural obstacles, such as visa requirements, are layering atop an underlying bottleneck: the limited supply of qualified talent in a young industry where the definition of "qualified" is about as clear as mud.
Hiring the unhirable
Solving this crisis turns out to be as complex as defining what constitutes a "qualified hacker" -- in a business where having a pedigree can actually have you considered to be less qualified, and being unhirable by traditional standards is… almost desirable.
Chris Hoff is the Vice President, Strategy and Technical Marketing Engineering – Security, Switching, and Solutions BU at Juniper Networks.
Hoff told ZDNet that vendors are experiencing difficulty finding suitable candidates "in a highly competitive job market that have the required experience in a number of emerging disciplines such as advanced malware detection/mitigation, reverse engineering, forensics, crypto, virtualization and cloud."
He continued saying,
This is largely in response to the emergence of new classes of threat actors, new technology, evolving and innovative threat vectors and the wave of breaches that show up in the media daily. This is in addition to the lack of formalized educational, mentorship and professional tradecraft training.
Further, “Security” is still a reasonably young “profession,” and many of the skills are learned on the job which often means it is hard to break into the industry with enough of a well-rounded background that allows one to take advantage of emerging career opportunities and not become overly-specialized.
Arlen thinks the most severe challenge relates to the education vs. experience conundrum endemic to the information security profession.
I have a personal preference to hire based on experience – and a sufficient number of others do as well – leaving the bulk of ‘available’ talent in the “book learning rather than practical” bucket.
Mr. Arlen adamantly believes that the industry needs to stop equating education with experience. "It is too hard for the average organization to hire actual qualified people – Degrees, Certifications and fudged resumes do not magically create qualified people."
"I appreciate that someone may have a Masters in Cybersecurity from a name brand university (like this, and many others) but that doesn’t necessarily mean they have the ability to apply anything they’ve learned in a practical fashion."
It's experience with attacks and perhaps even unsavory hacking hobbies that can make the difference between filling a job with a talented defender, or a salesman with a pedigree with no grasp of the devil-in-the-details meat of cybersecurity.
So it's no wonder that last weekend an interview with White House Cybersecurity Czar Michael Daniel hit a raw nerve across infosec communities far and wide when Daniel eschewed technical knowledge and experience "in the weeds" in favor of his expertise at translating issues to policymakers.
For some, it gave the impression that the White House isn't taking information security seriously enough -- at the worst possible time.
The result of all this, Mr. Hoff warns are, "increased risk, more incidents, decreased readiness, less resilience, demoralized and burned-out employees, an echo-chamber of talk with little action and a general inability to effect positive change on behalf of those we protect."
Photo credit: Image courtesy of Black Hat USA/UBM Tech, used with permission.