How infosec hiring lost its way: Harsh findings in Leviathan report

In one of three cloud security whitepapers released by Leviathan Security Group today, the firm revealed infosec's problematic hiring arc -- where solutions appear ruinous, at best.
Written by Violet Blue, Contributor

In one of three cloud security whitepapers released by Leviathan Security Group today, the firm revealed infosec's problematic hiring arc -- where solutions appear ruinous, at best.

That's not to say the report states exactly this; read Leviathan's 'scarcity' report for yourself and see why we're worried about "establishment" solutions to what we see as culture clash problems.


At no time in history has there been a greater need to hire security professionals to protect and defend infrastructures from an inexhaustible onslaught of organized crime, skids, industrial espionage, and nation-state attacks.

Leviathan's research team reports that, "With more than one million cybersecurity positions unfilled worldwide, currently-identified security needs couldn't be met if every employee at GM, Costco, Home Depot, Delta, and Procter & Gamble became security experts tomorrow."

If the concept of Delta doing security operations isn't disturbing enough already, the report adds,

Those one million positions span industries, specializations, and requirements; in addition, approximately 25,000 of them are in the United States' federal civil service.

If you think this is some kind of hype, strut your non-gender-specific haughty high heels on over to the report and skip to the citations.

A small talent pool, an inflated wage bubble and the high tensions of a virulent attack landscape have made cybersecurity's hiring crisis the literal "billion dollar" problem.

The report -- real name "Analysis of Cloud vs. Local Storage: Capabilities, Opportunities, Challenges" -- concisely explains the solutions coming from the establishment classes: Basically, it's either poach talent from other countries, or make everyone go to college, get degrees, and hire them in five years after they have experience.

"The first category of solutions," Leviathan diagrams, "to a country that has a shortage in qualified security workers involve finding expert security workers in other countries, and bringing them (on either a temporary, as-needed, basis, or on a permanent one) to the country with the shortage."

It does a deep dive into the pros and severe limitations of Schengen Zone immigration (the European Union, minus UK/Ireland), plus the outdated inefficiencies with infosec and NAFTA and H1-B visas, and explains,

Necessarily, each security (or other) expert drawn from another country, while representing a gain to the knowledge pool of the United States, represents a loss of experience and talent from their country of origin.

While Article 12 of the International Covenant on Civil and Political Rights requires countries to allow emigration (in most cases), a "brain drain" on this scale may be considered, at the extreme, a threat to the national security of the countries of origin.

The other solution, to make more hackers -- but not, you know, hackers -- is equally riddled with urgent problems. "The second category of solutions involves training domestic persons to a sufficient level of expertise in security (...) but this is a many-year process with no gains at the expert level in the short and medium term."

The report details government-supported educational initiatives to identify and train cybersecurity talent, including the Global North and BRICS countries (Brazil, Russia, India, China, and South Africa), the UK's cybersecurity programs, the European Commission's TEMPUS (Trans-European Mobility Program for European Studies) program, as well as business and non-profit groups that are trying to stimulate infosec interest in STEM fields.

These programs cannot, however, scale quickly or effectively enough to deal with the outsized nature of the demand for expertise. To take one illustrative example, the entire United Kingdom's advanced, GCHQ-led cybersecurity programs will produce just 66 PhDs with a cybersecurity focus per year-beginning in 2017.

But it's in this section that the Scarcity report hits a specific infosec nail right on the head.

Critical fail: Tone-deaf to security culture

In the education-solution arena, current conventional wisdom is, "Master degrees are essential for providing a cybersecurity workforce with advanced capabilities."

However, the report concedes that after getting a degree, it takes years to gain experience. At the same time, we can also argue that current conventional wisdom in infosec culture acknowledges that many of the best and brightest (and some of the most successful) don't have degrees and would likely be unhirable by these newer 'Master's degrees' standards.

'Scarcity' is fantastic, yet it offers analysis of two arguably deeply flawed solutions being pursued (which pretty much spell near-term doom for some, if not many, organizations).

ZDNet reached out to Leviathan to ask if in its research for 'Scarcity', did their team encounter or imagine a third possibility that no one else is seeing?

Indeed they did, but it probably won't sit well with "establishment" types.

Leviathan Security Group's Director of Risk and Advisory Services James Arlen told ZDNet, "The most interesting aspect of the 'book learning' problem is the most simple -- just because you read about something doesn't mean you have any idea of how it works in practice."

He added a reality that many infosec professionals know all too well -- but worryingly seems to evade infosec hiring decision-makers. "Shift that to something involving critical infrastructure and that Masters' degree holder is going to cause more actual harm than the ruffian who lacks a pedigree (but has a wall covered in conference badges) would've seen as the most obvious avoidable outcome."

ZDNet asked Mr. Arlen -- the report's primary author -- if he saw a third solution, one that wasn't evident in the 'Scarcity' report. "There is a third option," he said "but it's the one that the industry is shying away from -- we need to move to an "apprentice/journeyman/master" system (or pick what lawyers, accountants, engineers, doctors, etc. use -- a scaled system where you must achieve experience before you are allowed to operate on your own."

This would almost certainly have an effect on the SANS/ISC2/ISACA crowd and would require a level of integrated cooperation that is simply not yet part of the maturity path of the people who do infosec -- think of the gap between the field practitioners and the community.

Arlen told ZDNet, "I'd like to take a week with 10 specialists in infosec, education, self-regulated industries, and government and plot out how to move to a more mature system with defined pathways for people who want to climb all the way up the ladder and also people who want to achieve excellence in a particular area of study."

It seems like too often in infosec, everyone likes talking about problems and making drama out of report findings, but all too few offer solutions that aren't 'buy my product' -- so I was glad I asked.

Editorial standards