0

On the Cyber skills for the long run.

No matter if we are talking about well established technologies (such as desktop, web and mobile) or relatively recent ones (such as cloud, artificial intelligence or blockchain), whether it is an old school desktop application or a smart contract running in a blockchain, we are certainly required to steer away from the build-then-secure model into a secure-while-building approach, so that software is built with security in mind from the very beginning.

This is not a novel concept though, it is commonly known as a shift-left strategy; where security practices are included as early as possible in the Software Development Life Cycle with the goal generating more secure applications and, at the end of the day, save money and avoid trouble to whoever is building the application. It is here where most efforts will be focused in the upcoming years and thus where a lot of opportunities will arise for specialized security practitioners.

No doubt Cybersecurity-related jobs are on the surge these days, fueled by the skills gap and sharpened by the pandemic, there is a variety of open positions as well as new openings almost on a daily basis. Now, this surely needs to be qualified with the fact that Cybersecurity is a field not only wide but also deep and that available positions are distributed amongst the many different areas within the field. Combine this with the fact that lots of people are looking to take part on Cybersecurity and you get many asking themselves: what skills do I need to thrive in this field?

Application Development Security and Coding skills

In general, Application Security relates to the practices around the conception, development and maintenance of secure software applications. One can see how this subarea of Cybersecurity is also wide and deep in and on itself. Now, let’s face it, Cybersecurity is tough and becoming proficient at even one of it’s subareas still represents a challenge. –Acquiring some of the required skills take years in some cases, but do not let this discourage you, instead, think of it as just so much stuff to learn!

Within Application Security, the development part is one of the most important, if done right from the beginning, then security becomes an enabler instead of a roadblock or an obstacle if done at the very end of the cycle. But, how can you develop secure applications if you don’t know where the risk lies? And, more importantly, how can you know where the risk lies if you don’t understand how the application works?

Ultimately, to understand how an application works, you need to understand the technology stack it uses, including the language it was written in. It is here where development and programming skills play, in my opinion, a pervasive role across the different sub areas of Cybersecurity, pervasive in the sense that these skills can be some way or another applied in several (if not all) of the sub-areas in order to comprehensively understand the risk and determine a realistic impact.

In fact, based on the recent skills research results from Burning Glass, Application Development Security will be the top-growing Cybersecurity skill projected for the period of 2021-2025, with an estimated growth of 164%. This hints to a lot of job opportunities in the future, but also remind us that the skills gap will still be present for a while, since these specialized skills are difficult to obtain.

Fastes-Growing Cybersecurity Skills.

An interesting fact from the above is that, even though skills related to Cloud Security are the second top-growing skills in the list, they are projected to command an overall best salary in the next 5 years, which makes it an attractive field to join in terms of monetary gain.

So, how to tackle the skills gap?

The Cybersecurity skills gap is an old concept than nonetheless is quite alive these days, simply put, there are not enough resources to supply the needs and demands of the market, that is, not enough resources with the required set of skills. There is actually a lot of people interested in getting to work in the field, so, there is no shortage of entry level candidates out there, I would think the skills shortage really sharpens at the medium level and senior level positions.

Skills Gap.

Besides the obvious fact that that we need to build Cybersecurity into the culture itself and that curricula of students need to take this into consideration from the early stages of development, there are a few factors that, in my opinion, may help alleviate this problem:

First and foremost, we need to acknowledge that, in the current state of the market, specialized Cybersecurity personnel is expensive and difficult to come by. Companies will still need to work in building their own resources, however, while trying to fill Cybersecurity positions they should first look inwardly for people with foundational knowledge who might be interested in making the “jump”, this could be beneficial both for their career development and for the company as well. People with some sort of programming, systems administration and/or networking skills to build upon are already great candidates to start their Cybersecurity adventure and should be motivated to do so in order to start filling the gap. –I’m a similar case, started off as a programmer and moved into penetration testing when presented with the opportunity.

Second, people applying to these positions need to demonstrate willingness to learn or be trained (and humbleness when appropriate). But most of all they need to demonstrate basic self-learning and research skills as well as a go-get attitude. Nowadays, entry-level certifications are a common way to do this and there is also a huge amount of free resources out there that can be utilized for similar purposes. Ultimately, however, I believe it boils down to a matter of attitude and whether or not they are ready to put in the required effort and time, even if that means putting in part of their own personal time. –I have invested a fair amount of my own free time in self-learning and in preparation for certification exams myself.

Third, establishing a mentoring program also seems like an important piece of the strategy to tackle the skills gap, true that Cybersecurity personnel is probably already with their hands full, but some sort of shadowing will work; where the mentee observes the mentor do the task and learns from it on the go.

Clearly communicating risk

Although this is true for most of human affairs, effective and clear communication skills are vital for the Cybersecurity practitioner nowadays . Somewhere I heard (or read) a comparison on how the technical guy with bad communication skills was just like a troll you keep in the dungeons for when things get ugly, but not someone you take into the castle to enjoy a nice meal. Not the best metaphor I agree, but with an important message: technically-oriented people should not underestimate the importance of clear communication and non-technical folks should not underestimate the importance of technical knowledge for when things get ugly.

Clear Communication.

Effective communication is particularly important when relaying the message of risk, if you are able to clearly pin point where the problem is, how it can be exploited, by whom and the possible impact in an straight forward and concise manner, then you are already in a great position to make your case and be taken seriously.

Closing

Ideally, Cybersecurity should be ingrained in all aspects of society with regards to cyberspace in order to produce healthy digital hygiene at the individual level first, but this is still a work in progress. Non-cybersecurity folks in the Information Technology field should be motivated and trained to join Cybersecurity positions, this will create more demand at the IT level that can be filled with people working their way through those foundational skills we talked about before (programming, systems administration and/or networking).

Hard skills such as coding and soft skills such as communication necessarily need to be combined and harnessed together in order to effectively relay the message of risk.