A recent article, “White House: Cyber Competitions Could Solve Skills Shortage“, reminds that the cyber skills gap and the never-ending search for talent is likely going to be an on-going discussion point for some time. The piece informs us that,
“The Office of Science and Technology Policy hosted a workshop aimed at encouraging volunteers and organizers to step up national cyber security competitions that could propel children into science, technology, engineering and math tracks…”
Apparently, a majority of ITsec professionals across the globe agree that governments are not doing enough to attract people to the field so at least this new drive by the White House appears to be trying to do something.
This raises a few points though. First, this might help in the long term, to raise awareness of the profession and recruit more students, especially more females to STEM fields, which is a good thing. Would concrete relief from at least a partial solution be less than a decade, or a generation away? Let’s check in 10 years. In the meantime, there were supposedly over 200,000 security positions that were vacant and unfilled in the US alone in 2015.
Hackathons for Recruiting?
The second point to think about, is that it’s doubtful that hackathons are generally effective at recruiting people with the necessary skills to defend. The point of NIST sp800-160 is to promote system security engineering and design to produce trustworthy systems. Do hackathons support such worthwhile initiatives? If the odds are stacked against the defender, will hackathons simply attract candidates turned on by breaking? How long can businesses afford to wait for skilled people to turn up?
An article from a few years ago, “First National Bank of Omaha Discovers Tech Talent Through Hackathons ” describes how a mid-size bank has turned to recruiting IT talent this way. Hopefully they are looking at personal attributes as well as basic hacking skills. Many people seem to subscribe to this thinking and strategy though. Is it a good one? Is there any evidence that breaking skills translate into building secure systems? I really haven’t come across it myself, but I’ve found more of the opposite view.
In his post ” On Competitions and Competence ” Professor Eugene Spafford, an elder statesman of infosec, says
“We have well-meaning people who somehow think that “contests” are useful in resolving part of the problem. ”
“If what is being promoted are competitions for the fastest hack on a Wintel platform, how is that going to encourage deep thinkers interested in architecture, algorithms, operating systems, cryptology, or more?… Competitions encourage the mindset of hacking and patching, not of strong design.”
“In short, competitions select for a narrow set of skills and proclivities — and may discourage many of the people we most need in the field to address the underlying problems.”
As Dr. Spafford point out, how can hackathons be designed not just to recruit a new generation of breakers? Infosec needs builders, not breakers.
Since Ian Tibble usually puts it better than most of us ever could, there’s this from his The Search For Infosec Minds ” post,
“In 2012 we can make a clear distinction between protection skills and breaking-in skills. This is because as of 2012, 99.99…[recurring to infinity]% of business networks are poorly defended. Therefore, what are “breaking-in skills”? So a “hacker” breaks into networks, compromises stuff, and posts it on pastebin.com. The hackers finds pride and confidence in such achievements. Next, she’s up on the stage at the next conference bleating about “reverse engineering”, “fuzzing”, or “anti forensics tool kits”…nobody is sure which language is used, but she’s been offered 10 jobs after only 5 minutes into her speech. ”
“However, what is actually required to break into networks? Of the 20000+ paths which were wide open into the network, the hacker chose one of the many paths of least resistance. In most cases, there is no great genius involved here. ”
“The thought process behind hiring a hacker is typically one of “she knows how to break into my network, therefore she can defend against others trying to break in”, but its quite possible that nothing could be further from the truth. In 2012, being a hacker, or possessing “breaking-in skills”, doesn’t actually mean a great deal. Protection is a whole different game. Businesses should be more interested about protection as of 2012, and for at least the next decade. ”
Addressing Current Needs
No one is saying that an enterprise could never find a potential prospect for employment at such an event. If one can find any honest, keen and smart recruit these days, then more power to them. It’s just that the cyber skills needed for finding and exploiting some new vuln, is not the same thing as hardcore system security engineering and design. As Spaf says, “competitions encourage the mindset of hacking and patching, not of strong design.” So can the glamor of breaking attract recruits for building?
One should be realistic about what is probably gained from this level of recruiting for talent and tread cautiously. Otherwise, governments and enterprises with unrealistic expectations may be setting themselves up for disappointment. Since new recruits to the field were needed years ago, what can be done more immediately than waiting for young people to filter up and graduate through the education system?
Obviously other strategies are needed enabling business enterprises to better cope, sooner.
In other words,
– Find ways to do more with less! It’s a necessity!
How can the business enterprise get more out of the staff they do have, now and in the nearer-term?
Necessary Strategy – Extend Current Human Capital
When the most desired solution for skilled staff shortages, getting more staff, is basically a no-go, perhaps it’s time to consider other strategies and possible solutions. By the process of elimination, this means new models and technology, not rearranging the deck chairs.
Consider the following:
- Reduce complexity, simplify security and facilitate security management.
- Consider new models that intuitively map and align better to the business.
- Build and design for work load efficiency to reduce current workloads per person.
- Seek technical solutions that allow other current IT staff to train-up to ITsec roles quickly.
- Reduce dependence on time consuming but less effective defensive technologies.
- Utilize technologies that sway the advantage to the defender advantage.
- Ramp up levels of trustworthiness and assurance so that systems can resist system hacks, tampering and whitelist user end behaviours, thereby reducing staff time required for incident response and disaster recovery. (Less time putting out fires, less trench warfare.)
- Use technologies that allow fast training-up to speed, are pre-configured and/or are plug and play.
- Make full use of automation and AI for security operations. See the short TUX AI tour here.
The beauty of this, is not only would it help enable coping with the shortage of skilled staff now, it would reduce the personnel numbers needed in future as well.
If you’re thinking this is just wishful thinking, Trustifier is able to deliver solutions that can deliver a lot of this now, or has innovations in development with aimed availability not too far in future.