Why a skills shortage is one of the biggest security challenges for companies
Almost every company building an application needs to secure it, and yet all of them face an enormous constraint: talent.
Security requires a highly specialized skill set, which is in extreme shortage and will continue to be so for the foreseeable future. There are several reasons for this skills shortage, ranging from limitations in formal education to misperceptions about what a career in security even entails.
Download Ted's free ebook, "How to secure your software faster and better."
Your company can’t have adequate security without skilled individuals making it happen, so what can you do to build the right security team?
By understanding the talent shortage, you can anticipate what to do about it.
Education is a security bottleneck
The first cause behind the security-talent shortage is education and experience opportunities. Formal education isn’t (yet) optimized to create enough security talent.
Many ethical hackers come out of computer science degree programs, yet most programs treat security as an area of interest, rather than a core discipline. Security-specific degree programs are popping up, but there still aren’t enough of them to produce enough skilled security professionals, let alone at the level of expertise that’s needed.
Furthermore, security requires extensive, real-world experience outside of the classroom, too. Most security degree programs teach the fundamentals, but what security professionals do in the field usually differs from what they learn in the classroom.
Developing security skills takes a long time and requires accumulating deep expertise across a broad range of domains. There’s no single place where all of this information can be found, so it takes a lot of grit just to find the relevant information, let alone master it. Taken together, these factors mean that formal education produces fewer qualified security professionals than the world needs.
Security has perception issues
The second cause behind the talent shortage is the common perception that security is ridiculously hard. Rising computer scientists (of which ethical hackers are a subset) often pursue other things instead.
This misunderstanding of the field also feeds into a perception that, as one ethical hacker put it, “Security people are seen as wizards beyond mortal understanding.” This suggests that if you’re not already one of them, it’s not worth trying to become one.
That simply isn’t true: the best security professionals — literally every single one of them — learned the skills along the way, too. Nevertheless, this perception deters a lot of talented people from even getting started.
Security is adversarial
Lastly, security by its very nature is adversarial. The purpose is to pit two forces against each other. It’s not just about being creative (as is the case with almost all of computer science); it’s about being more creative than someone else. To succeed in the security field, you need to outsmart the hackers working against you, a requirement that can be stressful and intimidating.
Many talented people decide they’d rather compete against the constraints of what it takes to develop software than compete against other people. Most computer scientists want to build things for themselves, rather than tear apart the work of others. Yet, that’s exactly what ethical hacking is about.
Like the perception issues around the difficulty of security, the adversarial nature of the career keeps many qualified people from ever starting.
Dealing with the shortage
As a company that needs skilled security professionals, what are you to do in the face of this shortage?
Your best option is to take a two-pronged approach: build your own expertise in-house, and also hire an external security team. Security is a team sport, and you should pursue both. External and internal expertise complement each other and magnify each other’s impact.
Your external security partner finds security vulnerabilities; you fix them. Your partner transfers knowledge; you use it to get better. Your external partner is immune to bias as well as the strong opinions of powerful leaders in your company; they just tell you how it is, even if it’s not what you want to hear. You ensure the security mission is supported by executives and key stakeholders, while providing your partner with the access and information they need to improve your systems most efficiently.
The talent shortage might mean building your in-house team will be a long and difficult process. With an external team complementing your internal teams, you’re able to deal with your many security challenges right away, while leaning on your external teams to help you build internal capabilities over time.
Win-win.
Learn how to secure systems with 11 courses from Infosec Skills instructor and #1 best-selling author Ted Harrington.
- Hack your system
- Establish your threat model
- Spend wisely
- And more
In this Series
- Why a skills shortage is one of the biggest security challenges for companies
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
- Introduction to the OWASP API Top Ten
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security