A Risk Management-based Look at the Infosec Skills Gap

looking at the wide range of positions comprising the information security profession, there is no arguing that gaps of highly skilled professionals exist across most of the knowledge and skill levels
looking at the wide range of positions comprising the information security profession, there is no arguing that gaps of highly skilled professionals exist across most of the knowledge and skill levels

The information security skills gap debate has been brewing for years. One of the major arguments is that the profession’s skills gap is most critical at the technical level. However, protecting our national infrastructure lies in filling existing technical shortcomings. Is the perception and the narrow focus on technical skills really the best approach in evaluating this gap?

When evaluating the widely recognized trend, at first glance, the gap in technical skills may appear to be the widest. “The IT security skill gaps are vast, and there is a shortage of strong candidates in most of the key technical areas, i.e., penetration testing, cloud security, IT forensics, and PCI compliance”, says Robert Wall, principal consultant and team lead, EMEA, in the Security Division at Evolution Recruitment Solutions. Or could it be those in organizations that have defined an area of technical specialty as the immediate priority are communicating their need the loudest?

If the perspective is broadened beyond the technical, looking at the wide range of positions comprising the information security profession, there is no arguing that gaps of highly skilled professionals exist across most of the knowledge and skill levels. Certainly technical specialists are in high demand; however, the need for generalists in the workforce is far greater than the need for specialists.

Technical Bias

The idea that the greatest skills gap is technical in nature is short-sighted and demonstrates a lack of understanding about the industry’s diversity. To begin to understand how expansive the information security field is, one need only look to the National Initiative for Cybersecurity Education (NICE) National Cybersecurity Workforce Framework version 1.0, which defines 31 specific positions, including apprentices, journeyman and master levels for each position.

According to the US Labor Department, US employment in information security is at an all-time high of 48,500 – up from 44,750 – in the third quarter of 2012, but most practitioners would argue that the field is actually much larger based on the US Bureau of Labor Statistics’ limitations in how it defines the field.

The bias toward prioritizing the “technical” gap stems from those who believe information security professionals should be primarily technical, with a focus on managing firewalls and intrusions systems, performing incident response and forensics and generally managing and securing the information technology infrastructure. This theory is widely opposed by those who believe that technical skill is only one part of an information security professional’s arsenal and advocate a broader and deeper understanding of the landscape.

“There is no arguing that the ability to address all forms of breaches quickly and effectively is an essential aspect of any cybersecurity plan”, notes W. Hord Tipton, (ISC)² executive director and former CIO of the US Department of Interior. “While you cannot do without the technical warriors, you must invest recruiting efforts and limited resources in trained professionals who offer a much broader set of skills.” In his view, there is a great need in all areas of information security, not just in the technical arena.

Applied Knowledge

What is believed to be missing from the ‘technical’ advocate’s view is the importance of knowing how to actually apply security in an organization. The ability to make strategic, risk-based decisions when applying security measures is not so much a technical skill as it is an understanding of the organization’s business and the importance of information to managing that business.

A technical expert looks at all vulnerabilities as problems that need to be fixed and often does not consider the cost of repair or the potential impact on the business strategy of his/her organization. In contrast, a ‘generalist’ who is skilled in business risk analysis would see the same situation from a different perspective and ask: ‘How important is the data to the organization and is it worth the cost to fix, or should the business accept the risk?’

Tipton adds: “The most valuable information security professional is the one who can develop and implement a sound security plan, understands risk management, demonstrates solid communications skills, has the ability to earn and sustain credibility with senior leaders, and who knows enough about specialty areas that they can apply effective solutions.”

According to the (ISC)² 2011 Global Workforce Study, the global information security workforce comprises roles in management (31%), operational (27%), hardware (8%), auditing (16%), architecture (14%) and software (4%). The survey also reports that growth in the profession will be mostly in the managerial realm rather than the hardware/software technical field.

The US Bureau of Labor Statistics (BLS) defines information security analysts as those who plan, implement, upgrade or monitor security measures for the protection of computer networks and information. They may ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure, as well as respond to computer security breaches and viruses.


When you consider the study estimated 2.28 million people in the information security field as of December 2011, and predicted 4.24 million by 2015, the case for prioritizing growth in the technical field weakens. It appears that a flat line of people performing technical work would be closer to reality.

While no similar study was conducted in 2012, it will be interesting to see what conclusions might be drawn from the 2013 (ISC)² Global Information Security Workforce Study, due out in early 2013. According to John Colley, managing director of (ISC)² EMEA: “The skills gap has been high on the agenda of (ISC)² since 2012, when estimates that the information security workforce would need to double within five years surfaced.”

Team Diversity

Still, some may argue that with the increase of advanced persistent threats (APTs) from nation-states, organizations will require additional offensive measures that will ultimately reshape the information security workforce. When looking at a workforce in the hundreds of thousands or more, a few hundred specialized technical people becomes an insignificant number of additional workers to fill this niche workforce requirement.

Much has been made about the ‘cyber warrior’, but for those who actually do the work, it is not the individual who builds the attack and defense software. This requires a team of specialists, each attacking a different component of a target infrastructure, to make it effective.

Even attack software, to be truly effective in striking a target, will meld a number of attack methods together for different types of networks, operating systems and application software to perform the intended function. Just as traditional criminal organizations use a ‘divide and conquer’ strategy to carry out attacks, so do cybercriminals. A diverse brand of criminals demands a diverse, solid security team comprising both technical specialists and security leaders.

Closing the Gap

So, now to answer the question: Do we have a skills gap? The answer appears to be a resounding ‘yes’. Is the answer to this dilemma to train more technicians? Research on a large representation of the information security education and workforce community would say the answer is ‘no’.

What can organizations do to ensure the talent they hire is what they need both today and over the long haul? Although risk analysis has been used for years, application of the US National Institute of Standards and Technology (NIST)’s Risk Management Framework has not been fully considered or implemented by security professionals. Organizations must consider the growing need for risk-minded security talent and plan their recruiting/hiring accordingly.

A profession with an unemployment rate of 2% or less would indicate that individuals in the field are unemployed only for very brief periods between jobs and that the profession resides at more than full employment. The US Bureau of Labor Statistics (BLS) began reporting on employment of information security analysts in 2011 and has found no unemployment since it began tracking the field.


One of the key areas of focus for organizations must be to implement a continuous training program to keep up with technology. Consider that over the last few years, we have seen new methods and ideas of managing data, such as cloud computing, Big Data, and mobile computing. Each of these trends impacts and changes existing architectures. Technologists must change to meet the new demands.

Consider the option of hiring at an entry level and teach the required skills as your organization’s needs change. “Some of the larger organizations are trying to address the skill gap issue by taking people on a trainee level and teaching the required skills in-house”, observes Wall. “This will take some time but will, in the long term, resolve the issues for these businesses.”

Companies contemplating the use of contractors to fill the gap must consider if “they [should] spend money training candidates in appropriate skills and accept that some will move on, or do they save the training costs and head hunt the skilled candidates at higher-than-market salaries? The latter may be more cost effective in the short term, but will not address the general lack of available talent in this sector”, according to Wall.

While we wait for the skills gap problem to be resolved, organizations must contribute by sharing in the development of talent and investing in training to help close the gap of trained professionals. Governments, despite lean budgets, must make the financial commitment to meet the training demands to fill this need as well. Finally, professionals in technology areas must work diligently to meet the evolving demands of technology and to understand changing business requirements so that, ultimately, continuous learning becomes a hallmark of the profession.

Members of the Bureau include federal IT security experts from government and industry. Marc H. Noble, EWB Member and (ISC)² Director of Government Affairs, was lead author of this peer-reviewed article

What’s hot on Infosecurity Magazine?