Is the Security Skills Shortage Real?

The controversy generated by my article in DarkReading was not entirely surprising.

"How the Skills Shortage is Killing Defense in Depth"

Some insist that there is no security skills shortage. But I insist that they are wrong, based on my experience in the field over the last three years. Many times I will get invited back to see a customer I’ve seen before. When I get return, I find that some of their security people have moved on. One of the major credit card companies had a brilliant Directory of Security with an impressive threat intelligence team. When I came back a year later, he had been poached and taken the half the team with him. The other half of the team was junior and demoralized. I’ve seen it happen with other teams as well.

Last fall at CSO Perspectives event in Sydney, I sat on panel in front of an audience of about 200 CSOs and Security Directors. Throughout the day the skills shortage kept coming up, and finally I asked for a show of hands to see who was suffering from it: nearly every hand raised.

At an FBI Infragard event in Florido (your moderator in white), an audience member put for the question about the security skills shortage. Ken Athanasiou, the CSO of AutoNation replied:

"Your propeller head infosec techie that can crack packets wide open is more important than any tool you can buy.” says Ken Athanasiou, CSO of AutoNation. “If you’ve got someone like that make sure you keep them happy.”

So to the naysayers who claim that there's no shortage, I beg to differ. The problem we have is how do (or how can) we solve the shortage?

Some argue that if IT paid higher wages, more people would be attracted to the field. These market forces can work for some fields, but Security isn’t one of them. Security, as a practice, is more difficult to train. It takes a special mindset. Some would say that it takes a kind of paranoia.

And that special paranoia requirement means that only a subset of the people you’re looking for can even be trained in the way of the hacker. For the young people who want to get involved in information security I have three recommendations:

  1. Join the local OWASP chapter.
  2. Dive into the tools
  3. Attend a security conference

The OWASP web site is a great place to start learning about application security. There are local meetups all over the world to attend. And membership in the organization isn’t mandatory, but at any rate is only $50.

Getting started with the security tools, both offensive and defensive, is a very hands-on way to gain quick experience at home. The OWASP site has HOW-TO articles for WebGoat and other fun tools.

Finally, attendance at a security conference can be the best, and most fun, way to get into the field of application security. When I was just starting out, I attended one of the few hacker conferences at the time: DEF CON. I was blown away by the hacking culture and spirit of information sharing among the community. DEF CON is still the premiere hacker con but it has stayed true to its roots. The fee is a mere $200, enough so that newbie script kiddies can just jump in the car and drive out to Las Vegas, spend four days soaking up the culture and come home with a head full of ideas about what to do next. For people who can’t make it to the conference, the new DEF CON YouTube channel has the talks online.


From my wide experience, I believe it is real. See the DarkReading article for statistics. See OWASP and DEF CON for the way forward.

Published Feb 23, 2015
Version 1.0

Was this article helpful?

1 Comment

  • I agree that the skills shortage is real. I see it when attempting to hire security-minded people. There is another part to that skills shortage, and that is how corporations value security. In a nutshell: Not very highly. Everyone talks about it, few organizations want to spend even a fraction of their budget to actually tackle it. As any security person knows, security is hard: And that seems to bump it right down in the priority list when it comes to spending. Though it is a high priority talking-wise. I used to be an information security employee, until I took an arrow ... never mind. Until I saw how much more money I could make by just doing infrastructure, switching and routing. It's child's play compared to security - and it gets actual dollars. Should that market shift towards security, I'll be happy to shift with it.