PFC Parts’ Delectable Cyber Security Shopping List

Over the last two years I’ve seen several outcries over the supposed great shortage in capable Cyber Warriors. But what does this mean, in terms of required skills? Most articles seem to ask for quite a lot; their Cyber Warriors seem to be required to be able to defend their networks (CND in military parlance), attack their adversary’s network (CNA), engage in Cyber Espionage (CNE), reverse engineer malware and probably a bit more. I found it hard to get a single answer, but SANS seems to agree with the previous list. At least, they do if you go by their Cyber Guardian program, which is essentially a group of SANS certs stacked together. But realistically: Do you really need such heavily certified people at every position? And that’s not even going into the deeper issue of how capable these people actually are. After all, they may well have gotten through all these exams by just being really good studies (rather than actually understanding the material).

An article at NPR quotes a James Gosler who is, apparently a ‘veteran cybersecurity specialist who has worked at the CIA and the NSA’ though they don’t explain what standards they used in determining his skills. In the article Gosler states that the US would need between 20.000 and 30.000 cyber warriors. Its a number that keeps coming back, but its not really elaborated on in the article.

A study done by the US Center for Strategic and International Studies (CSIS) also speaks of a human capital crisis in Cyber Security and may offer some insights that can also be used outside of the US, though of course the numbers will vary. CSIS uses roughly the same numbers as the article but mention that there are a variety of people and skills involved. From the appendix in the report we learn that CSIS found a shortage in the following roles:

High Priority
Systems Operation and Maintenance Professionals
Network Security Specialists
Digital Forensics & Incident Response Analysts
Information Security Assessors

Medium Priority
Information Systems Security Officers
Security Architects
Vulnerability Analysts
Information Security Systems & Software Development Specialists

Low Priority
Chief Information Officers
Information Security Risk Analysts

In my opinion its a good list, though if positions such as the ‘Systems Operation and Maintenance Professionals’ covers job descriptions such as UNIX, Windows and Database Administrators then the 20-30.000 number is probably on the low spectrum of the scale. CSIS rightly mentions these people and its important to note that these are the backbone of any IT department, everywhere.

You’d think that there are plenty of those folks around in the IT sector, but the key word in this story is ‘Capable’. During my years spent in IT I’ve met many people who work in IT in these positions but can hardly be called that. There are too many hacks in this game, yet many of them hold certifications that should demonstrate otherwise. This, to me, demonstrates that most of the current certification schemes out there simply don’t function as well as they should.

What I like about the list is the mention of CISO’s and CIO’s. In my opinion they are also listed in the right positions, as many CIO’s are completely clueless when it comes to the IT sector they are supposedly serving. For some reason unbeknownst to me, IT is the only area where C-level management is chosen based mostly on what their alma mater is and what fraternity they were a member of. When is this going to stop? Why don’t CEO’s have the common sense to realize that most of their organization runs on its IT infrastructure and it needs a capable manager to run it? Here in the Netherlands, this problem was acknowledged by the Nyenrode Business University and they developed an IT aspect to their well-respected MBA program. It is my belief that more of such initiatives should be taken to create better CIO’s.

Another worrying trend is using CISO’s as firemonkeys; a CISO gets hired to improve security but doesn’t get the authority or the budget to actually change things. When a hack does occur and heavy damage is taken, the CISO takes the blame and finds himself fired. A new CISO is hired and the cycle begins anew. The CIO, who really deserves the blame for not taking security to the board of directors where it belongs, is comfortably staying put. Small wonder that there’s a shortage of CISO’s, right? I’d also like to note that hiring new CISO’s will do little good if this practice is kept in place.

Looking at the list provided by CSIS, I can only draw the conclusion that the bigger problem isn’t the lack of ‘Cyber Warriors’ but the lack of capable “regular” IT staff. Oh im sure that know-it-all, superhero-grade Cyber Warriors are needed, but I sincerely doubt that we need as many as some people seem to fear. I also wonder if governments would be willing to pay for such expensive certifications (SANS is probably the most expensive on the market) or even the wages these experts should be getting. As you can see, there are questions all around and not many definitive answers. If you have some, please feel free to let me know.