Cybersecurity: It's a Skills CrisisAlan Paller of SANS on How to Address the Staffing Challenge
The cybersecurity jobs shortage isn't about a shortage of people. Rather, it's a lack of skills among those who consider themselves IT security professionals, says Alan Paller of the SANS Institute.
The underlying problem is colleges and training centers aren't working to develop the pipeline of technically skilled workers, says Paller, founder of the SANS Institute.
"The colleges do not like to teach this stuff," he says in an interview with Information Security Media Group [transcript below]. "They want to teach the reporting, not the hands-on work. The community colleges don't do it."
And no matter how well organizations do at recruiting, they'll still hire unqualified professionals. "They're likely to get people who don't know what they're doing who claim they know what they're doing," Paller explains. "That's dangerous."
Paller's solution: Stop allowing people to pretend to do cybersecurity. "Security means making the system safer and there's no report that's ever made the system safer unless you stuck it in front of it to keep somebody away," Paller explains.
In an interview about the skills shortage, Paller discusses:
- Why it's a crisis of quality, not quantity;
- How to improve the cybersecurity staffing pipeline;
- Why security careers are increasingly attractive to professionals.
Paller founded the SANS Institute, a college and professional cybersecurity training school that has educated more than 145,000 technologists in 72 countries. He oversees the Internet Storm Center, the annual identification of the seven most dangerous new attack vectors and a global program that identifies and celebrates people responsible for remarkable improvement in cyber-risk reduction. He has testified before the U.S. Senate and House and was an initial member of the President's National Infrastructure Assurance Council. He was chosen by OMB and the Federal CIO Council as the 2005 Azimuth Award winner, a lifetime achievement award recognizing outstanding service to improving federal information technology.
Increasing Government Cybersec Pros
TOM FIELD: For some years now we've been talking about a cybersecurity staffing shortage, and recent reports indicate that the Pentagon in particular is moving toward expanding its cybersecurity force to approximately 5,000 individuals. What do you see as some of the factors behind that dramatic increase?
ALAN PALLER: It's not really the Pentagon that's making this increase. It's called the Cyber Command. The Pentagon probably already has 10,000 cyber people. The difference between what the Pentagon has now and what Cyber Command wants is most of the people who work for DoD who do cyber are people who are report writers. They're good people, but if you put them in front of a terminal they wouldn't know how to protect the computer or how to do the forensics or how to do the reverse engineering or how to code securely.
What the Cyber Command's looking for is people who can actually defend systems. When you read these stories, it's not that they just want people who call themselves security people, someone who passes a certification and can call themselves a security expert, because those people are a dime a dozen now. What's missing is the people who have the deep technical knowledge to be able to go into the New York Times and find out what actually happened and go into the Washington Post and find out what actually happened; very, very few of the people in security can do that.
Biggest Challenge in Recruiting Cyber Pros
FIELD: So this becomes even a more challenging undertaking then because, one, we don't have cybersecurity personnel that we can find, and to get to that level is a tough job for anyone in the public sector or private sector. What do you see as the Cyber Command's biggest challenges in recruiting the right level of cyber professionals?
PALLER: I think the Cyber Command has an easier job than most other federal agencies in doing it because their mission is so clear and their responsibilities that they can give to their people are so exciting. Like I said, the problem they have isn't having cool jobs. The problem is that there's no pipeline of these people. The colleges do not like to teach this stuff. They want to teach the reporting, not the hands-on work. The community colleges don't do it. The training schools, most of them don't do it. And we don't really do pipeline. Our role is for people who are already in the jobs to make their skills better. No matter how good they're recruiting, they're likely to get crap, meaning they're likely to get people who don't know what they're doing and who claim they know what they're doing. That's dangerous.
Setting Sights Higher
FIELD: Let's talk about the organizations themselves because they're used to hiring people that can put out reports and that's all they know. How do we get them to set their sights higher to fill these roles with a higher level of cybersecurity professional?
PALLER: We show them the bill that the New York Times paid to bring those people in after the fact to clean up the mess, and it's got a lot of zeros in it. We say: "A, you didn't have to go through that if you had the right people in the first place. And B, they're charging you $1,000 an hour for people that are good, but they're not that good." You just have to do the economic argument. Everybody who's gone through one knows they have to have the people. The ones who have not yet gone through a bad breach and the FBI hasn't come in to tell them they've lost all their data, they're still in this report-writing phase. They'll come around. So many organizations are getting hit that there aren't going to be enough people for everybody anyway. It's sort of okay that some of the dumber ones are going to take their time.
Making Cybersecurity More Attractive
FIELD: Final question for you: Not everybody that goes into cybersecurity is going to join the Cyber Command. How do we make the cybersecurity profession more attractive and sexier to people coming into the field to make it a career destination?
PALLER: I don't think you have to do a thing. The newspapers are doing that every day. There was a wonderful story, an absolutely true story. A young man at one of our programs was in a bar - and it sounds like a joke, but it's not a joke at all. He was in a bar and there was a really pretty girl sitting next to him, and another guy came up and started talking to the girl. The girl asked the other guy what he did, and the other guy said, "I'm in network security." When the girl went to the bathroom, our student looked over at him and said, "Hey, I'm in network security, too. What do you do?" The guy looked at him and said, "You're out of your mind. That's a pick-up line." We do not have to do anything to make cybersecurity a destination. What we have to do is stop allowing people to pretend to do cybersecurity when what they're really doing is journalism, which is a valuable thing, but it's just not cybersecurity; or report writing, which is a valuable thing but it's not cybersecurity. Security means making the system safer and there's no report that's ever made the system safer unless you stuck it in front of it to keep somebody away.