PFC Parts' Delectable Cyber Security Shopping List

Tuesday, July 19, 2011

Don Eijndhoven


Over the last two years I've seen several outcries over the supposed great shortage in capable Cyber Warriors. But what does this mean, in terms of required skills?

Most articles seem to ask for quite a lot; their Cyber Warriors seem to be required to be able to defend their networks (CND in military parlance), attack their adversary's network (CNA), engage in Cyber Espionage (CNE), reverse engineer malware and probably a bit more.

I found it hard to get a single answer, but SANS seems to agree with the previous list. At least, they do if you go by their Cyber Guardian program, which is essentially a group of SANS certs stacked together. 

imageBut realistically: Do you really need such heavily certified people at every position? And that's not even going into the deeper issue of how capable these people actually are.

After all, they may well have gotten through all these exams by just being really good studies (rather than actually understanding the material).

An article at NPR quotes a James Gosler who is, apparently a 'veteran cybersecurity specialist who has worked at the CIA and the NSA' though they don't explain what standards they used in determining his skills.

In the article Gosler states that the US would need between 20.000 and 30.000 cyber warriors. Its a number that keeps coming back, but its not really elaborated on in the article.

A study done by the US Center for Strategic and International Studies (CSIS) also speaks of a human capital crisis in Cyber Security and may offer some insights that can also be used outside of the US, though of course the numbers will vary. 

CSIS uses roughly the same numbers as the article but mention that there are a variety of people and skills involved. From the appendix in the report we learn that CSIS found a shortage in the following roles:

High Priority

  • CISO's
  • Systems Operation and Maintenance Professionals
  • Network Security Specialists
  • Digital Forensics & Incident Response Analysts
  • Information Security Assessors

Medium Priority

  • Information Systems Security Officers
  • Security Architects
  • Vulnerability Analysts
  • Information Security Systems & Software Development Specialists

Low Priority

  • Chief Information Officers
  • Information Security Risk Analysts

In my opinion its a good list, though if positions such as the 'Systems Operation and Maintenance Professionals' covers job descriptions such as UNIX, Windows and Database Administrators then the 20-30,000 number is probably on the low spectrum of the scale.

CSIS rightly mentions these people and its important to note that these are the backbone of any IT department, everywhere.

You'd think that there are plenty of those folks around in the IT sector, but the key word in this story is 'Capable'. During my years spent in IT I've met many people who work in IT in these positions but can hardly be called that.

There are too many hacks in this game, yet many of them hold certifications that should demonstrate otherwise. This, to me, demonstrates that most of the current certification schemes out there simply don't function as well as they should.

What I like about the list is the mention of CISO's and CIO's. In my opinion they are also listed in the right positions, as many CIO's are completely clueless when it comes to the IT sector they are supposedly serving.

For some reason unbeknownst to me, IT is the only area where C-level management is chosen based mostly on what their alma mater is and what fraternity they were a member of.

When is this going to stop? Why don't CEO's have the common sense to realize that most of their organization runs on its IT infrastructure and it needs a capable manager to run it?

Here in the Netherlands, this problem was acknowledged by the Nyenrode Business University and they developed an IT aspect to their well-respected MBA program. It is my belief that more of such initiatives should be taken to create better CIO's.

Another worrying trend is using CISO's as firemonkeys; a CISO gets hired to improve security but doesn't get the authority or the budget to actually change things. When a hack does occur and heavy damage is taken, the CISO takes the blame and finds himself fired. 

A new CISO is hired and the cycle begins anew. The CIO, who really deserves the blame for not taking security to the board of directors where it belongs, is comfortably staying put. Small wonder that there's a shortage of CISO's, right? I'd also like to note that hiring new CISO's will do little good if this practice is kept in place.

Looking at the list provided by CSIS, I can only draw the conclusion that the bigger problem isn't the lack of 'Cyber Warriors' but the lack of capable "regular" IT staff. Oh im sure that know-it-all, superhero-grade Cyber Warriors are needed, but I sincerely doubt that we need as many as some people seem to fear.

I also wonder if governments would be willing to pay for such expensive certifications (SANS is probably the most expensive on the market) or even the wages these experts should be getting. As you can see, there are questions all around and not many definitive answers. If you have some, please feel free to let me know.

Cross-posted from

Follow Argent Consulting on Twitter: @argentconsultin

Possibly Related Articles:
Security Training
Information Security
Certification Training Chief Information Officer Information Security CSIS Professional Netherlands Cyber Guardian
Post Rating I Like this!
Michael Thibodeaux I completed an Information Assurance Study in June 2009 and since then I have not been able to find a position that uses this knowledge. All positions require a cert and I do not have one (as of yet).
Don Eijndhoven Hell I have a whole list of certs that never get asked for, or used. Im going to start on a Masters' degree in Cyber Security Intelligence this fall and I don't even expect THAT to actually provide me with a nice job. The Netherlands just isnt into "cyber mode" yet.

So yeah - I recognize your position. Its frustrating.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked