Addressing the Skills Gap in Cloud Security Professionals
By Ryan Bergsma, Training Program Director, CSA
One of the math lessons that has always stuck with me from childhood is that if you took a penny and doubled it every day for a month, it would make you a millionaire. In fact, it wouldn’t even take the whole month, you would be a millionaire on the 28th day. Of course, most of us realize this would be nearly impossible to accomplish in reality (unless you invested in the right crypto at the right time in the fall and early winter of 2017). The reason that this old math lesson comes to mind when I think about the skills gap in IT security, and in particular cloud security, is because of Moore’s Law.
The rise of cybercrime & IT security
Granted doubling every two years is a lot different than doubling every day, but if you take 1970 as the starting point, we are already over 85 percent of the way to our computational power being one million times greater than what it was. I bring this up because it speaks to the rapid increase of power behind the tools that are at the disposal of criminal hackers today. Couple that with the fact that:
- Modern society relies so heavily on IT and…
- So many of our assets (from personal information, to intellectual property, to bank ledgers) can now be found online
And you have a scenario that is ripe for exploitation. With so much opportunity, albeit illegal, it is no wonder that bad actors have become prolific. And with this group of bad actors growing so rapidly, we see the boom of the IT security industry. Especially given the fact that though it may only take one persistent bad actor to breach a system or network, it generally requires an entire team to protect it.
So... the demand for cybersecurity professionals continues to balloon.
In fact, the Cybersecurity Ventures 2017 Cybersecurity Jobs Report says “Cybercrime will more than triple the number of job openings over the next 5 years” and predicts that there will be “3.5 million unfilled cybersecurity positions by 2021.”
Increased threats to cloud computing
One particular realm of IT that has exploded into the mainstream consciousness in the past decade is cloud computing. Some of the benefits of cloud computing have driven large scale adoption of its use by both individuals and businesses. In many cases, it may even be in use without awareness of its use (or the potential impacts). Whether the awareness of the use of cloud offerings is there or not, the need for security in cloud computing most certainly is. Though it may be possible for cloud solutions to provide heightened levels of security when compared with traditional on-premises IT infrastructures and services, cloud infrastructures, platforms and services do come with their own unique set of risks. CSA even maintains a list of Top Threats for cloud environments. These factors have left many businesses, even those with already existing IT security departments, scrambling to understand and mitigate the risks associated with the myriad of cloud solutions.
Meanwhile the shift to cloud continues to accelerate. The same Cybersecurity Ventures report also mentions that “Microsoft estimated that 75 percent of infrastructure will be under third-party control (i.e., cloud providers or Internet Services Providers) by 2020.”
Why the skills gap exists
With cybercrime driving the growing demand for cybersecurity professionals, the explosion of cloud usage, and it subsequent need for cloud security professionals— why is it that so many of these jobs remain unfilled?
The harsh reality is that employers are not able to find the employees to fill these positions because the demand is so great. There are not enough individuals with the skill set and years of experience that employers are looking for to fill these critical positions. A survey of industry influencers conducted by Logic Monitor found that “58% agreed lack of cloud experience in their employees was one of the biggest challenges.” Employers are then left with the choice of leaving the positions unfilled or filling them with under qualified applicants. A 2017 Global Information Security Workforce Study says that “It is not uncommon for cybersecurity workers to arrive at their jobs via unconventional paths. The vast majority, 87% globally, did not start in cybersecurity, but rather in another career. While many moved to cybersecurity from a related field such as IT, many professionals worldwide arrived from a non-IT background.”
What can be done to address this skills-gap?
Given the growing business demand for skilled cloud security professionals, what can be done to stem the tide of this increasing skills gap?
As an organization
To begin to combat the skills gap in cybersecurity professionals, and cloud security professionals in particular, businesses need to start taking proactive steps. Get your business behind initiatives to document current best practices in security and turn that documentation in training materials for the workforce. In cloud this is especially critical given its rapid development and expansion. This could be in the form of encouraging your senior employees to use some portion of on the clock time to volunteer for these types of initiatives, or it could be directly funding projects to create the new training materials. Organizations need to encourage and incentivize current employees that are less knowledgeable in security to take advantage of current training offers. It could also be worth considering setting up scholarship programs to make cybersecurity training more accessible for the next generation of cybersecurity professionals.
Of course given the gap, businesses also need to be more open to hiring these newly trained security professional into entry level and junior positions so that they can begin to build the experience required to fill more senior positions.
As an individual
And, for individuals who are interested in a cybersecurity career, get yourself into training and pursue certificates and certifications that demonstrate your interests and abilities to businesses that are desperately in need of qualified cybersecurity professionals. There are a wide range of options when it comes to cybersecurity, so make an effort to figure out where your interests lie. Some of the many options include things like computer forensics, pen testing, network security, security policy, end user education, security audit or secure software development. Whether you are interested in writing code or working with people, there are likely security opportunities that will be a good fit for you personally.
If you already have some level of security knowledge and are interested in cloud, our Certificate of Cloud Security Knowledge (CCSK) offering is a great place to start. Holders of the Certified Information Systems Security Professional (CISSP) from (ISC)2 benefit from the alignment between the bodies of knowledge of the two credentials. All CISSP’s 10 domains have an analog in CCSK’s 14 domains; where the domains overlap, CCSK builds on the CISSP domain and provides cloud-specific context.
For those holding ISACA’s Certified Information Systems Auditor (CISA) designation, better understanding of how clouds work and how they can be secured makes it easier to identify the appropriate measures to test control objectives and make appropriate recommendations.
Ryan Bergsma is the Training Program Direct at CSA where he manages CSA’s training programs including the Certificate of Cloud Security Knowledge (CCSK) and Cloud Controls Matrix (CCM) Training.