We use the internet for day-to-day activities from work to play to shopping under the assumption that security experts are keeping us safe from cybercriminals. But those security experts are already stretched thin — and the situation promises to get worse.
The nonprofit group ISACA predicts that by 2019, there will be a global shortage of 2 million cybersecurity experts. That is a skills gap crisis of epic proportions, and few organizations or companies have any clue what to do about it.
Part of the reason the situation has become so bad is that instead of taking active measures to solve this growing worker shortage, many in the security industry have placed blame elsewhere. Too often, the lack of a talent pipeline is attributed to the failure of universities who supposedly have not done enough to prepare the next generation of cybersecurity experts. Instead of actively seeking measures to enable the development of new workers, companies are more likely to poach top-tier talent from another company, adding a incivility and unending staff changes to the existing talent-shortage problem.
It should also be concerning that companies are using the skills shortage as an excuse to enable lax security strategies. Because they don’t want to do the work of developing their own roster of experts, technology companies will outsource security and bolt vital cybersecurity tools on at the end of product development. Instead of preventing or defending, this approach creates far greater risk for all involved.
A far better approach, and one that my own team has adopted, is to develop security expertise in-house. We did this at my company by implementing an apprenticeship program we dubbed “Draft and Develop.” And it has worked to make us stronger.
We now have a growing bench of cybersecurity talent built from the company’s in-house IT team who opted-in to a three-month program that combined internal education, like employee shadowing, and external training through security conferences and seminars. While it took a lot of hard work and perseverance, they now have expertise to run sound DevSecOps strategies to protect our critical data from cybercriminals.
In an industry where any competitive advantage is guarded like state secrets, we believe overcoming the looming cybersecurity gap is too important to keep our apprenticeship program to ourselves.
This is a strategy that every technology company can and should embrace.
One of the biggest factors that created the cybersecurity skills shortage is the demand for in-house security staff at non-security technology companies. Instead of poaching from security companies or plugging untrained workers into key roles, most technology companies are perfectly situated to develop internal security expertise by leveraging their existing engineering and operations talent.
Cybersecurity skills and the knowledge needed to manage the software can easily be taught on the job to IT teams and staffers that have the inherent ability and attitude needed to succeed in technology. A key to our program is the “Drafting” of team members who demonstrate a passion for security and the desire to continue improving their skills.
The hard skills can be taught or developed on the job when you have an individual who is passionate and dedicated. Experience comes with time, and expertise can be learned. But you cannot teach attitude and enthusiasm.
A well designed apprenticeship program can develop and mold employees with an existing technology background, but it’s important to remember that most companies don’t have the time or resources to train somebody from square one. The last thing you want to do when implementing a program like “Draft and Develop” is to take time from your leadership team, so ensuring the right people are being put into the program is a critical piece of an effective apprenticeship initiative.
For succeed, you need to clearly define the program up front and and execute it properly. Focus on implementing a process that is repeatable and then finding passionate people who will do everything they can to succeed.
With a well-designed apprenticeship program and the right people, technology companies can change the industry-wide momentum and start to close the skills gap that has been dragging the industry down for years. Now is the time to get started. Our world is becoming more connected, and the gap is only going to grow unless we take steps to counteract this trend today.
I have already seen it work first hand at my company, and I believe that if others take the same approach, the cybersecurity skills gap will become a thing of the past.
Brian Ahern is CEO of Threat Stack.