The SANS Institute is at the cutting-edge of the war on the cyber-security skills gap – and Lance Spitzner, certified instructor at SANS, has more insight than most on the subject. Mike Hine went to meet him during a recent stop-off in London
The security industry has a pretty healthy crop of ‘big issues’ that fuel regular debate, and perhaps chief among these is ‘plugging the cyber skills gap.’ There is an unmistakable consensus that the industry is under-resourced – but the issue of how to combat this raises several questions. Do we place more emphasis on training and awareness? Look to draft in personnel from other IT disciplines? Or, heavens forbid, look to enlist the services of former black-hat hackers?
There are few people better poised to answer these questions than Lance Spitzner, 15-year veteran of the security industry, author of several books, and certified instructor at the SANS Institute, which he describes as “the world leader in cyber-security training.” I caught up with Spitzner on a recent teaching stint in London, where he delivered a SANS class on ‘Securing the Human.’
Unsurprisingly, he had plenty to say on the infosec skills shortage. “The unemployment rate in cyber-security is around 0%. Within the last couple of years organizations have started hiring for cyber-security because everyone is getting hacked and demand cannot keep up with supply. There is a massive talent shortage, which is going to last for the next five years.”
Given the number of high-profile security incidents in the last year alone, the thought of another five years of the security industry being on the back foot is somewhat alarming. “Keep in mind that you can never have perfect security,” Spitzner reminded me. “There are always going to be issues. What people are concerned about is that we may be getting close to that breaking point.”
It’s clear that demand for security professionals is high, outweighing the supply, and salaries must rise to reflect this. But Spitzner is cautionary about the financial lure of the industry to those looking to embark on a cyber-security career.
“Because the wages are so high, some people are jumping on board calling themselves security experts, but all they know is a couple of buzzwords. Put them in front of a computer and they don’t know what to do. Can they actually look at the packets? Can they actually do forensics? Can they actually hack into a computer?”
It would appear, then, that retaining highly skilled practitioners is yet another pressure on organizations. “If you’re really good at what you do then everyone knows it – including your competitors. That’s why government is having such a hard time. You can get wonderful experience in government, but as soon as you get good, private sector can triple your salary.”
The SANS Institute, Spitzner told me, is all about mitigating the skills shortage. Its unique quality is its emphasis on hands-on training, he said: “You’re not going into a six-day class to learn about theory. We’ll show you how to do a pen test, give you a laptop, and say ‘hack this computer.’”
With conferences all over the world and teaching programs covering everything from forensics to log management, SANS is running full steam ahead in its aim of “training security professionals how to be even better.” But are we doing enough to entice the right people into the industry in the first place? And who exactly are ‘the right people’?
“There are technical skills you need but it’s also a lot about the way you think. There is a new program that SANS is working with here – Cyber Security Challenge UK. We’re trying to identify high school students who have the desire but don’t have a path.”
Finding the right people and giving them skills is the raison d'être of educational institutions like SANS. But there are also a lot of the ‘wrong people’ with the right skills out there. Does Spitzner think we should tap into this resource?
“In general, I would be uncomfortable,” he stated. “There may be exceptions; maybe someone really gifted who did something stupid when they were young. But if they’re a hardened criminal, no way.”
Nonetheless, the kind of skills required by both sides are the same: “If I take a good security guy and a good hacker, 95% of them is the same. It’s the exact same set of skills – a desire to learn, creativity. The only difference between a security professional and a cyber-criminal is ethics.”
No word cropped up more in this conversation than ‘skills’. But what do we really mean by this? What exactly are the skills needed in today’s cyber-security landscape? I suggested that the expanding attack methods and vectors are requiring professionals to be aware of a wider array of problems and responses than ever.
“It’s actually a little bit the opposite – the jack of all trades was appropriate ten years ago, and it’s still a good place to start. But now because technology has exploded and become so much more complex, we see people specializing. People will specialize in penetration testing, mobile, cloud – but now when they specialize it takes years. It’s like getting a college degree.”
As the conversation draws to a close I asked Spitzner to reflect on his time in the industry and how the landscape has changed. “A lot has changed and a lot has not changed. Technology has evolved so much and companies are adopting technology so much that we just can’t catch up. The bad guys are just one step ahead of us. Crime has always existed – it always will exist. The problem is that the bad guys are winning much more in the cyber world than in the physical world.”
Reversing that trend, clearly, is the first step on the road to establishing a truly safe internet.