There isn't a cybersecurity skills gap: Rik Ferguson

'Spend more time looking at humans, and not at pieces of paper', says Trend Micro's high-profile security researcher.
Written by Stilgherrian , Contributor

"You're being conned. There's no such thing. It doesn't exist," says Rik Ferguson, vice president for security research at Trend Micro. He's talking about the much-discussed skills shortage in the cybersecurity sector.

You've heard it before, right? There's a million unfilled cybersecurity jobs globally today, and there'll be many more in the future.

Ferguson was speaking at the national conference of the Australian Information Security Association (AISA) national conference in Sydney on Wednesday. He sees it very differently, and he makes a solid argument.

"The problem is too many organisations are busy hiring pieces of paper, and not busy enough hiring people," Ferguson said.

There's no point listing a Masters degree in cybersecurity as one of your job requirements. Such qualifications were rare until relatively recently, and even then they were called something else, or the skills you're really wanting were buried as part of another course.

Ferguson himself did a Bachelor of Arts in French, and then spent 14 years working an IT support desk.

"That's enough to build a career on," he said.

"You should be looking more for people, and soft skills within those people, and the character of someone who's going to be good at analysis [and] problem solving. Those are the kind of things you want in cyber. You want tenacity and stubbornness. You want someone who continually questions. You want someone capable of parallel thinking. Someone [who is good at] sorting through details.

"You don't need to make sure they have the right certifications and the right pieces of paper. They can learn that on the job. You should even be sponsoring to do those courses and learn those skills on the job. That's part of the reward for offering your effort as an employee.

"I knew I was going to harangue you at some point."

ZDNet heard similar sentiments out on the conference floor, although perhaps expressed less bluntly.

One senior security executive complained of an major organisation with too great a focus on qualifications -- ironically seeing a masters degree as a threat, because he might out-qualify his potential future boss.

Take one young Australian hacker, Nathaniel Wakelam, with no qualifications whatsoever but plenty of persistence, who at age 20 managed to make AU$250,000 in bug bounties in just six months. In the radio documentary where he was interviewed, Bugcrowd founder Casey Ellis told the Australian Broadcasting Corporation that Wakelam's story wasn't all that unusual.

More recently, Australian government agencies have also been hiring people rather than qualifications, though that's been forced upon them by their own specific needs.

A number of sources in Canberra, or with familiarity with the intelligence community, have told ZDNet that increased demand for the positive vetting (PV) process to clear employees for the more secret work across all agencies has blown out processing times to an average of 18 months.

That clock starts when all of the potential employee's documents have been received, which means that in practice the time between advertising a position and getting a person between chair and keyboard is around two years.

That doesn't help government agencies with significantly increased budgets and workloads, and a need for skilled people. Some, therefore, have started recruiting people who already have PV and the right character, and giving them a crash course in the cybers.

This isn't actually a new problem in the IT industry.

For decades, recruiters have looked for employees with five years experience in technologies that have only existed for five years. It's no surprise that they've had trouble finding staff who've been working on technologies since they were nothing but an initial blip on Gartner's Hype Cycle.

The idea of training an organisation's exiting staff, people who already understand what the organisation does and how they do it, doesn't occur to recruiters. Well they don't get a fee for that, do they.

Who they should be looking for, though, are people who are proven to be quick learners. We all know these men and women. They're the ones who can fire up a new control panel, maybe skim the documentation, and be working with it by the end of day one.

They may have qualifications in computer science, or software engineering, or networking, or whatever. But they're just as likely to "just" have a broad background in tech, and "just" know how stuff is built.

The one saving grace is that organisations with a check-the-box attitude to recruitment probably also have a check-the-box compliance-based attitude to cybersecurity. You probably didn't want to work there in the first place.

They're probably also the kind of organisation that'll suffer a massive, embarrassing data breach, and blame you for it. Cross that one off your list, and move on.

Editorial standards