Application security

Why a skills shortage is one of the biggest security challenges for companies

December 15, 2021 by Ted Harrington

Almost every company building an application needs to secure it, and yet all of them face an enormous constraint: talent. 

Security requires a highly specialized skill set, which is in extreme shortage and will continue to be so for the foreseeable future. There are several reasons for this skills shortage, ranging from limitations in formal education to misperceptions about what a career in security even entails. 

Your company can’t have adequate security without skilled individuals making it happen, so what can you do to build the right security team?

By understanding the talent shortage, you can anticipate what to do about it. 

Education is a security bottleneck

The first cause behind the security-talent shortage is education and experience opportunities. Formal education isn’t (yet) optimized to create enough security talent. 

Many ethical hackers come out of computer science degree programs, yet most programs treat security as an area of interest, rather than a core discipline. Security-specific degree programs are popping up, but there still aren’t enough of them to produce enough skilled security professionals, let alone at the level of expertise that’s needed.

Furthermore, security requires extensive, real-world experience outside of the classroom, too. Most security degree programs teach the fundamentals, but what security professionals do in the field usually differs from what they learn in the classroom.  

Developing security skills takes a long time and requires accumulating deep expertise across a broad range of domains. There’s no single place where all of this information can be found, so it takes a lot of grit just to find the relevant information, let alone master it. Taken together, these factors mean that formal education produces fewer qualified security professionals than the world needs. 

Security has perception issues

The second cause behind the talent shortage is the common perception that security is ridiculously hard. Rising computer scientists (of which ethical hackers are a subset) often pursue other things instead. 

This misunderstanding of the field also feeds into a perception that, as one ethical hacker put it, “Security people are seen as wizards beyond mortal understanding.” This suggests that if you’re not already one of them, it’s not worth trying to become one. 

That simply isn’t true: the best security professionals — literally every single one of them — learned the skills along the way, too. Nevertheless, this perception deters a lot of talented people from even getting started. 

Security is adversarial

Lastly, security by its very nature is adversarial. The purpose is to pit two forces against each other. It’s not just about being creative (as is the case with almost all of computer science); it’s about being more creative than someone else. To succeed in the security field, you need to outsmart the hackers working against you, a requirement that can be stressful and intimidating.

Many talented people decide they’d rather compete against the constraints of what it takes to develop software than compete against other people. Most computer scientists want to build things for themselves, rather than tear apart the work of others. Yet, that’s exactly what ethical hacking is about. 

Like the perception issues around the difficulty of security, the adversarial nature of the career keeps many qualified people from ever starting. 

Dealing with the shortage

As a company that needs skilled security professionals, what are you to do in the face of this shortage?

Your best option is to take a two-pronged approach: build your own expertise in-house, and also hire an external security team. Security is a team sport, and you should pursue both. External and internal expertise complement each other and magnify each other’s impact.

Your external security partner finds security vulnerabilities; you fix them. Your partner transfers knowledge; you use it to get better. Your external partner is immune to bias as well as the strong opinions of powerful leaders in your company; they just tell you how it is, even if it’s not what you want to hear. You ensure the security mission is supported by executives and key stakeholders, while providing your partner with the access and information they need to improve your systems most efficiently. 

The talent shortage might mean building your in-house team will be a long and difficult process. With an external team complementing your internal teams, you’re able to deal with your many security challenges right away, while leaning on your external teams to help you build internal capabilities over time.

Win-win.

Posted: December 15, 2021
Articles Author
Ted Harrington
View Profile

Ted Harrington is the #1 best-selling author of "HACKABLE: How to Do Application Security Right," and the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for hacking cars, medical devices, web applications, and password managers. He’s helped hundreds of companies fix tens of thousands of security vulnerabilities, including Google, Amazon, and Netflix. Ted has been featured in more than 100 media outlets, including The Wall Street Journal, Financial Times, and Forbes. His team founded and organizes IoT Village, an event whose hacking contest is a three-time DEF CON Black Badge winner. He hosts the Tech Done Different podcast. To get help with security consulting and security assessments, or to book Ted to keynote your next event, visit https://www.tedharrington.com.

Leave a Reply

Your email address will not be published. Required fields are marked *