{"id":636,"date":"2017-10-25T13:30:44","date_gmt":"2017-10-25T13:30:44","guid":{"rendered":"https:\/\/securitycurve.com\/?p=636"},"modified":"2017-10-25T13:30:44","modified_gmt":"2017-10-25T13:30:44","slug":"skills-gap-redux","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=636","title":{"rendered":"Skills Gap Redux"},"content":{"rendered":"

\"\"<\/a>Today is a slow news day.\u00a0 Yes, I know about BadRabbit<\/a>…\u00a0 I make this statement anyway because it seems to me like BadRabbit is boring.\u00a0 I’m sure it’s not boring to you if you’re impacted by it, but for the unimpacted news reader, it’s neither\u00a0technically interesting<\/a>\u00a0nor necessarily noteworthy from a tradecraft perspective.\u00a0 It uses human intervention to elevate privileges and lays down some dropper malware to encrypt files for Bitcoin.\u00a0 The primary implication I guess is that the first immutable law of security still applies.<\/a>\u00a0 Murf.\u00a0 In fact,\u00a0the primary reason I’d be interested in BadRabbit is attribution… which, other than analysis suggesting it’s probably the same people as NotPetya, is still up in the air.\u00a0 So maybe it’ll become more interesting if we learn more about it down the road, but right now I give it a “meh”.\u00a0 Potentially a “meh plus” because of the attribution angle, but it’s on the cusp.<\/p>\n

Anyway, because I’m not super interested in that, I’ll continue an exploration I started a while back<\/a> about the security “skills gap.”\u00a0 Why?\u00a0 Because I came across the research from CompTIA that has implications for this<\/a>.<\/p>\n

But first, a few full disclosure statements and caveats: 1) be advised that my “day job” is with ISACA, an organization that (depending on your point of view) is a direct competitor to CompTIA.\u00a0 I’d argue it really isn’t, but not everyone sees it the same way I do.\u00a0 2) I have, in the past, highlighted data about – and posited analysis that supports – a security skills gap.\u00a0 I’ve written reports, for example, that conclude that it exists and that it’s an important thing to pay attention to.\u00a0 That either supports or detracts from my credibility on this matter depending on your point of view.<\/p>\n

That out of the way, about the CompTIA study.\u00a0 The thing I found most interesting is this (from HRDive coverage of the press release<\/a>):\u00a0“The report also found that some professionals worry their skills will soon be obsolete; many, however, said they were interested in careers in cybersecurity (51%) and cutting-edge areas such as the Internet of Things (30%) and artificial intelligence or machine learning (20%).”<\/em>\u00a0 Note that I did my level best to find this data point in the materials released by CompTIA<\/a>, but I can’t find it in there — my suspicion is that this data point made it to the press release but didn’t make it into the report summary up on the site.\u00a0 Since I can’t find the full report or the data (the “Access” button points to an executive summary – at least as of now), I’m running with this one.<\/p>\n

The reason this is interesting to me is that it demonstrates that cybersecurity is increasing in interest for those in the job market.\u00a0 So this is an interesting data point to me for a few reasons.\u00a0 First, it’s maybe unsurprising as there has been quite a bit of attention out there on why cybersecurity is a “hot” area, how there’s a skills gap (the implication being that it’s super easymode to find a job and that there’s tons of mobility and job security), etc.\u00a0 It also suggests to me that the narrative of the skills gap is gaining traction into broader IT.\u00a0 Though I don’t have direct evidence to support it, I also think it is having a broader impact on the job market more generally.\u00a0 It’s comparatively more appealing to these folks compared to other “hot” areas.<\/p>\n

Here’s why I think caution is warranted though. Namely, there are organizations for which there is a direct line between the “security skills gap” narrative and their particular agenda (financial or otherwise).\u00a0 Consulting companies, for example.\u00a0 The more difficult it is (or seems to be) to find good security talent, the more appealing their services appear to be.\u00a0 Also, certification bodies and educational institutions.\u00a0 Those who offer “differentiation vehicles” (like certifications or degrees) for professionals in the space.\u00a0 Their goals are also directly forwarded by the narrative.\u00a0 \u00a0Technology companies and those who automate security tasks likewise.\u00a0 What I’m saying I guess is that there is a communal bias and interest in believing the narrative.\u00a0 \u00a0I am\u00a0NOT\u00a0<\/strong>saying that anyone is doing this purposefully.\u00a0 But as an exercise to the reader, I would ask you to pay attention to the source of information about the skills gap when you hear it: who is the report coming from and whether they are directly or indirectly served in some way by highlighting it.<\/p>\n

Do I personally believe a skills gap exists?\u00a0 I do.\u00a0 But am I biased?\u00a0 Unquestionably.<\/p>\n

I also happen to think that the implications of it are, long term, potentially problematic for practitioners in the space.\u00a0An influx of personnel into the job market absolutely will have a downward pressure on salaries over the long term and have a long term impact on professional mobility.\u00a0 That’s the downside.\u00a0 The upside is that, the less competitive the space becomes the more opportunity there is for safeguards against malpractice.\u00a0 I’ve advocated for professional licensing of security practitioners before.<\/p>\n

So, like, if a security pro sucks at their job – and engage in either deliberate or accidental (but grievous) malpractice – we can limit the further damage they can do to others by revoking their ability to practice.\u00a0 As it stands now, those in the profession who aren’t great can continue to be that way until they retire.\u00a0 As long as they can sell how awesome they are to people who don’t know anything about it… and having held an equivalent position at organizations that are heavily disincentivized from sharing their negative experiences with that candidate.<\/p>\n

I’ll continue to come back to this topic…\u00a0 Of all the things that are going on security, I think the long-term economic impacts on the job market are potentially the most significant for individual practitioners.\u00a0 When BadRabbit goes away five minutes from now, there will be something else to take its place.\u00a0 The impacts on the job market from the skills gap though?\u00a0 Both the narrative and the actual underlying phenomenon will still be playing out 5 years from now — and still be impacting practitioner’s lives.<\/p>\n","protected":false},"excerpt":{"rendered":"

Today is a slow news day.\u00a0 Yes, I know about BadRabbit…\u00a0 I make this statement anyway because it seems to me like BadRabbit is boring.\u00a0 I’m sure it’s not boring to you if you’re impacted by it, but for the unimpacted news reader, it’s neither\u00a0technically interesting\u00a0nor necessarily noteworthy from a tradecraft perspective.\u00a0 It uses human […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[110],"class_list":["post-636","post","type-post","status-publish","format-standard","hentry","category-security","tag-skills-gap"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/636","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=636"}],"version-history":[{"count":1,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/636\/revisions"}],"predecessor-version":[{"id":1916,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/636\/revisions\/1916"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}