Despite recent high-profile tech industry layoffs, demand for cybersecurity professionals is still very high. With so many tech industry workers looking for their next job, why aren’t these displaced workers being recruited?

Better matching candidates less likely to retrain as cyber security techs may hold the answer. Demand for cyber workers is set to increase by 25% in 2022, and much commentary exists about the need to hire cyber security talent from non-traditional backgrounds, such as bartenders or school teachers.

According to data released in late January from the Cyber ​​Security Workforce Analysis site developed by NIST, CompTIA and the National Initiative for Cyber ​​Security Education at Lightcast, the total number of employed cyber security workers is expected to remain fairly stable in 2022 at about 1.1 million. The number of online job postings declined from 769,736 to 755,743 in the 12 months ending December 2022.

“Despite concerns about a slowing economy, the demand for cybersecurity employees remains historically high. Companies know cybercrime won’t stop for a downturn in the market, so employers don’t want to risk stopping their cybersecurity hiring. Can,” said Lightcast Vice President of Applied Research – Talent Will Marko.

According to Lightcast data, each of the first nine months of 2022 set records for the highest monthly cyber security demand since 2012 but cooled off in November and December. A key indicator is the ratio of currently employed cyber security employees to new openings, which indicates how significant the workforce shortage is.

The supply-demand ratio is currently 68 workers per 100 job openings, up from the ratio of 65 workers per 100 jobs in the previous period. Based on these numbers, approximately 530,000 more cybersecurity workers are needed in the US to close current supply gaps.

Some industry researchers suggest that hiring cybersecurity talent from non-traditional backgrounds, such as bartenders or schoolteachers, is an ideal out-of-the-box solution.

unrealistic idea given the technical constraints

Other cyber professionals argue that such a solution is not in line with the reality of the industry. Mainly, the barriers to entry remain high, with many organizations still using outdated recruitment methods, such as requiring certification that is impossible to obtain without work experience.

Lenny Zeltser, CISO at cybersecurity asset management company Axonius and instructor at cybersecurity training, certification and research firm SANS Institute, also finds it surprising that no one is talking about what happens once you land one. How difficult it is to move up the hierarchy. Cyber ​​situation in the first place.

There is little or no guidance on how to go from cyber practitioner to chief information security officer, or CISO. Many organizations lack standards and structure regarding how to pay cyber therapists, and many employees know the only way to advance is to move to other companies, he argued.

People are simply starting the conversation in the wrong place, Zeltser offered. Companies must first address the “cyber security career gap” before they can begin closing the cyber industry skills gap.

He said that learning computer security skills is not the primary issue. Many avenues exist for those motivated to acquire the necessary skills. The problem is the expectation of what skills are needed.

“I believe there are a lot of opportunities out there for people to acquire security skills. So it leads me to consider that maybe there is more to it,” Zeltser told TechNewsWorld.

“Maybe we have unrealistic expectations for what we’re looking for.”

Forget Ideal Candidates

Perhaps the typical unicorn situation where companies want one security professional who can do everything is the culprit, he said. It is such a specialized field that includes many specialized subsets, and it is difficult to be an expert on everything within cyber security.

“We’re not open enough to let people with unusual non-technical backgrounds enter the field,” Zeltser said.

He offered an example from his previous roles within the industry. With a slight variation, hiring managers want their recruiters to do X, Y, and Z. Not seeing those abilities on a resume puts job applicants in the skills gap category.

What is the solution? Take cyber applicants with a few skills and train them for the rest.

Zeltser recalled the employees looking for some security experts who would provide customer support. The company needed entry-level security personnel, but they were not available.

The company recruited tech-savvy bartenders who were interested in computers and could set up their own Wi-Fi. But he only did this at home, he explained.

“We found that we were able to train them in the right safety skills in the office. But we didn’t need to train them and it’s very hard to teach them how to multitask and how to think on their feet and how to interact with humans.” Do it,” Zeltser said. It turns out the bartenders are really nice.

need a positive end result

Zeltser found many options where he could have been more open, and it became a necessity. Being more open means changing your mindset to accept people from non-technical, non-traditional backgrounds,” he offered.

“I wish we could stop telling people in the industry that if they enter the field as a security professional, they should work at the pinnacle of a career in cyber security, which is the CISO role. The thing is, there aren’t enough of these roles,” he said.

According to Zeltser, the industry does not require as many security officers as other types of security professionals, resulting in people being set up for failure.

“We’re asking them to work in that direction, and that’s how we define success. But instead, we can talk about other ways in which people can be successful because not everyone has to be an executive.” Should be, not everyone should be a manager,” he said.

skill gap meets security gap

Even with a shortage of trained cyber security personnel, many organizations are on the right track in securing and mitigating cyber risks to their business. The challenge, according to Joseph Carson, chief security scientist and consultant CISO at Delinia, is that large security gaps still exist for attackers to abuse.

“The security gap is widening not only between business and attackers, but also between IT leaders and business executives,” he told TechNewsWorld.

Carson acknowledged that some industries are showing improvement. But the issue still exists.

“Unless we solve the challenge of communicating the importance of cybersecurity to executive boards and the business, IT leaders will continue to struggle to obtain the resources and budget needed to close security gaps,” He warned.

need a better career path

Organizations need to continue expanding their recruiting pools, account for bias that may currently exist in cyber recruiting, and provide in-depth training through apprenticeships, internships, and on-the-job training. It helps build the next generation of cyber talent, introduced Dave Geary, CEO of crowdsourced cybersecurity platform BugCrowd.

“By creating opportunities for career development and rallying behind our mission to help protect our customers, their customers and the wider digital community from cyberattacks, employees feel they have a greater say in themselves and the wider community,” he told TechNewsWorld. There is an opportunity to improve.”

Gerry said that over the years, we have been led to believe that there is a significant gap between the number of open jobs and the candidates qualified to fill those jobs. While this is partially true, it does not provide an accurate view of the current state of the market.

“Employers need to take a more proactive approach to recruiting from non-traditional backgrounds, which, in turn, broadens the candidate pool from those with only formal degrees to individuals who have incredibly high potential with the right training.” ,” They said.

maybe a better option

The recent release of the National Cyber ​​Security Strategy will demand more than it can offer. This could slow down processes massively, predicted Guillaume Ross, deputy CISO at cyber asset management firm JupiterOne.

It will be necessary to prioritize and reduce the attack surface as much as possible. Also, security measures should ensure that developers, IT, and even business/process management people integrate security into their daily work routines.

“Improving the security skills of a million developers and IT workers will have a much better impact than training a million new “security people” from scratch,” Ross countered with TechNewsWorld.

large scale universal solution

The skills and cyber security shortage is not just a problem for US industry. Ravi Pattabhi, vice president of cloud security at ColorTokens, an autonomous zero-trust cyber security solutions firm, said there is a severe shortage of skilled cyber security experts across the globe.

Some universities have started teaching students some basic cyber security skills, such as vulnerability management and system security hardening. Meanwhile, cyber security is undergoing a transformation.

“The industry is increasingly incorporating cyber security into the design phase and building it into product development, code integration and deployment. This means that software developers also need basic cyber security skills, including the use of the Mater Attack Framework and using pen test tools,” Pattabhi told TechNewsWorld.

Lately I’ve been thinking a lot about what to do. There are a couple of reasons for this.

First, doing it well is a prerequisite for developing any credible expertise in any kind of computer science or engineering discipline. With the right mental toolset, you can bootstrap knowledge of any subject matter you might need.

Second, in my experience, it is the aspect of computer science and engineering that gets the least attention. There is a real influx of online training resources. But most of them cut the nuts and bolts right in order to acquire a basic qualification with software tooling to qualify someone for the job. This is understandable up to a point. If you’ve never programmed before, the skill you immediately feel lacking is programming language use. In such a situation, it is natural to attack him directly.

But while it’s not as exciting as rolling up your sleeves and saying “hello” to that world, taking the time to learn, and how to solve problems that can’t be solved by hard coding, will in the long run. Running will pay.

Will outline what I have found to be the most essential cognitive skills contributing to engineering success.

Your harshest critic should be your thinking

The primacy of critical thinking is such a clichéd aphorism that most of the people I inspire to investigate become addicted to it. This should not lead anyone to mistakenly believe that it is not inevitable, however.

Part of the problem is that it is easy for those who advocate critical thinking to assume that their audience knows what it is and how to do it. Ironically, this notion itself can benefit by going through some critical thought.

So, let’s go back to basics.

Wikipedia defines critical thinking as “the analysis of available facts, evidence, observations, and arguments for decision-making”. What do the words carrying the most weight mean here? “Fact,” “evidence,” and “observation” are related, because they all try to establish in their own way what we believe to be true.

“Facts” are usually first (usually) proven by other people whose understanding we trust. “Evidence” is made up of specific measured results listed by you or other trusted persons. “Observations” refer to those made by the critical thinker himself. If these, too, were events that others (and not theorists) had witnessed, how would this be meaningfully different from “evidence”?

The “logic” is weird here, but for good reason. That’s where “thinking” (logic in particular) really starts to do its heavy lifting. “Logic” describes how the thinker makes rational determinations that point to additional knowledge based on the interplay of facts, evidence, and observations.

The most important word of the definition is “decision”. Critical thinking is not necessarily related to trying to prove new truths. Critical thinking only requires that consideration of all of the foregoing yields some overall idea of ​​what is under consideration.

These decisions are not absolute, but may be probabilistic. As long as the result is that the entity being considered has been “judged” and the decision holds for all available information (not just the one that leads to the desired conclusion), then the critical thinking exercise is complete. It is done.

medical procedure

I doubt if that’s what most people mean when they say “critical thinking”. What really matters, however, is whether you practice critical thinking yourself. Funny enough, the way to evaluate whether you think critically… is to think about it critically. Meta, I know, but you have to go there.

In fact, what we’ve just done in posing these questions is a kind of critical thinking. I have my own penchant for critical thinking, which is to ask, “Why is X like this?” As I understand it, what elements acted upon, or must have acted on, X, and are those elements manifesting or producing the effect in other ways I suspect? This is helpful because it acknowledges that nothing exists in a vacuum, which helps ensure that you account for all available facts, not just obvious facts.

With a working understanding of the practice of critical thinking, get into the habit of using it to sieve reasonably valid reality from perceived reality. Try not to believe anything to be true until you have verified it through this process. Does the given statement match with the other facts you have on the matter? Is it appropriate? Does it make sense given the context?

I don’t need to tell you how valuable working with a computer is. I shouldn’t because now you (if not before) are able to figure it out for yourself.

try before you cry

This is something that has appeared in my other pieces, but which deserves to be reiterated here in the interest of completeness.

We all need help sometimes, but your coworkers will expect you to try to solve the problem yourself first. Time is a scarce resource, so they want to know that they are spending their time wisely. Got you a google search away giving the same answer, probably not so. Also, if you’ve tried to solve it yourself, the person helping you can pick up where you left off. This lets them rule out a number of possible causes that take time to test.

You also never know whether your fellow engineers will be available or knowledgeable enough to help when you need it. What if you’re the only one who knows anything about the project you’re working on? Or what if you’re on such a tight deadline that you can’t wait for a response? Develop dependable problem-solving habits, because that’s what you ultimately have.

What exactly does it mean to be a troubleshooting process. Write down step-by-step basic diagnoses for the major types of problems you’re facing. Then run whatever diagnostics apply.

Prepare a list of reliable reference materials and consult them before asking questions. For each event it sends you to the user manual, keep track of where you saw it, and what was and wasn’t. Then, when it’s time to ask for help, compile the results of your diagnosis and excerpts from reference material, and present everything to whomever you ask. They will appreciate that you did.

Learn Skills, Not Factoids

Like every field, there are certainly facts you should remember. For example, your life as a developer will become easier if you memorize the syntax of conditional statement blocks in your go-to language.

Yet it is not as important as acquiring the skill set. For example, if you remember the syntax of your regular programming languages, you can go decently far. But what if you need to learn a module or an entirely new language that formats things differently? If instead you know what you need from reliable sources, it may take longer, but you will get the right answer no matter what software or language you are using.

The iterative and incremental design paradigm for software development is an example of a skill.

Here, “incremental” is related to modularity. This prompts the developer to break the overall project down into the smallest possible pieces, with each piece doing only one thing and operating as independently as possible (ideally not at all). Then the developer’s task is simply to build each piece one by one.

The “iteration” element means that the developer continues to build, edit, and test any component that works cyclically until it can work on its own. Till then no one is moving forward. It not only uses any language or builds an application, but also works completely beyond the scope of a computer.

This design philosophy is just one example of how a skill serves engineers better than a rote process, but many others exist. Figure out what your discipline needs are and feel comfortable using them.

Stop by the Bakery, You’ll Need Breadcrumbs

Write down everything Since writing notes is cheaper than ever, no one can stop you. If you prefer digital, basically you are free to write as much as you want. Open a word processor and see for yourself. If notebooks are your thing, a few bucks at an office supply store and you’re set.

Reading notes is also cheaper in terms of time spent than trying to find something on the web over and over again. There’s no reason for you to look at something twice as long as it hasn’t changed since the last time. It’s tempting to assume that you’ll remember something or don’t need it anymore. Don’t. If you do this, you will eventually be wrong, and it will take unnecessarily time to find it again.

Your notes are also the only place where you can customize what you learn to suit your needs. The web has no shortage of answers, but they may not be exactly what you need. If you take notes, you can improve your use case before recording the information.

The real trick with Notes is to have an organizational system. The only way to write things down is if you can’t find them again. Even if you’re an avid note taker, try a few note-taking techniques until you find one you like.

step up to the starting block

When running, you set yourself up for victory or defeat in your training. If you haven’t trained diligently, working extra hard won’t make any difference when the competition starts. That said, you still have to put it into practice on the track.

The cognitive skills I discussed are not even training, but your coach’s fitness regimen. I certainly don’t have an Olympic coach, but that doesn’t beat anyone. Training is now in your hands.

Government organizations and educational institutions, in particular, are increasingly in the crosshairs of hackers as serious web vulnerabilities continue to rise upwards.

Remote code execution (RCE), cross-site scripting (XSS), and SQL injection (SQLi) are all top software offenders. All three keep rising or hovering around the same alarming numbers year after year.

RCE, often the end target of a malicious attacker, was the main cause of the IT scam in the wake of the Log4Shell exploit. This vulnerability has seen a steady increase since 2018.

Enterprise security firm Invicti last month released its Spring 2022 AppSec Indicator report, which revealed Web vulnerabilities from more than 939 of its customers worldwide. The findings come from an analysis of the Invicti AppSec platform’s largest dataset — which has more than 23 billion customer application scans and 282,000 direct-impact vulnerabilities discovered.

Research from Invicti shows that one-third of both educational institutions and government organizations experienced at least one incident of SQLi in the past year. Data from 23.6 billion security checks underscores the need for a comprehensive application security approach, with governments and education organizations still at risk of SQL injection this year.

Data shows that many common and well-understood vulnerabilities in web applications are on the rise. It also shows that the current presence of these vulnerabilities presents a serious risk to organizations in every industry.

According to Mark Rawls, President and COO of Invicty, even well-known vulnerabilities are still prevalent in web applications. To ensure that security is part of the DNA of an organization’s culture, processes and tooling, organizations must gain command of their security posture so that innovation and security work together.

“We’ve seen the most serious web vulnerabilities continue to grow, either stable or increasing in frequency, over the past four years,” Ralls told TechNewsWorld.

key takeaways

Rawls said the most surprising aspect of the research was the rapid rise in incidence of SQL injections among government and education organizations.

Particularly troubling is SQLi, which has increased frequency by five percent over the past four years. This type of web vulnerability allows malicious actors to modify or change the queries an application sends to its database. This is of particular concern to public sector organizations, which often store highly sensitive personal data and information.

RCE is the crown jewel for any cyber attacker and is the driver behind last year’s Log4Shell program. This is also an increase of five percent since 2018. XSS saw a six percent increase in frequency.

“These trends were echoed throughout the report’s findings, revealing a worrying situation for cybersecurity,” Rawls said.

Skill gap, lack of talent included

Another big surprise for researchers is the increase in the number of vulnerabilities reported from organizations that scan their assets. There can be many reasons. But the lack of software trained in cyber security is a major culprit.

“Developers, in particular, may need more education to avoid these errors. We have noticed that vulnerabilities are not being discovered during scanning, even in the early stages of development,” Rawls explained.

When developers don’t address vulnerabilities, they put their organizations at risk. He said automation and integration tools can help developers address these vulnerabilities more quickly and reduce potential costs to the organization.

Don’t Blame Web Apps Alone

Web apps aren’t getting any less secure per sec. It’s a matter of developers being tired, overworked and often not having enough experience.

Often, organizations hire developers who lack the necessary cyber security background and training. According to Rawls, with the continuing effort towards digital transformation, businesses and organizations are digitizing and developing apps for more aspects of their operations.

“In addition, the number of new web applications entering the market every day means that every additional app is a potential vulnerability,” he said. For example, if a company has ten applications, it is less likely to have one SQLi than if the company has 1,000 applications.

apply treatment

Business teams – whether developing or using software – require both the right paradigm and the right technologies. This involves prioritizing a secure design model covering all base and baking security in the pre-code processes behind the application architecture.

“Break up the silos between teams,” Rawls advised. “Particularly between security and development – ​​and make sure organization-wide norms and standards are in place and created universally.”

With regard to investing in AppSec tools to stem the rising tide of faulty software, Ralls recommends using robust tools:

  • Automate as much as possible;
  • Integrate seamlessly into existing workflows;
  • Provide analysis and reporting to show evidence of success and where more work needs to be done.

Don’t overlook the importance of accuracy. “Tools with low false-positive rates and clear, actionable guidance for developers are essential. Otherwise, you waste time, your team won’t embrace the technology, and your security posture won’t improve,” he concluded.

partially blind spot on play

Rall said critical breaches and dangerous vulnerabilities continue to expose the organizations’ blind spots. For proof, see Log4Shell’s tornado effects.

Businesses around the world scrambled to test whether they were susceptible to RCE attacks in the widely used Log4j library. Some of these risks are increasing in frequency when they should go away for good. It comes down to a disconnect between the reality of risk and the strategic mandate for innovation.

“It is not always easy to get everyone on board with security, especially when it appears that security is holding individuals back from project completion or would be too costly to set up,” Rawls said.

An increasing number of effective cyber security strategies and scanning technologies can reduce persistent threats and make it easier to bridge the gap between security and innovation.