Cybersecurity jobs are among the hottest growth areas worldwide. In fact, industry research sees three and a half million cybersecurity job openings by 2021. Does this lack of skilled professionals mean a huge vulnerability for government agencies and commercial firms alike? Or is there more to the story?

To find out, we spoke with Cylance’s Chief Security and Trust Officer, Malcolm Harkins. His take – and his solutions — may be contrary to conventional wisdom, but may also provide a practical, effective path forward for IT leaders.

(Don’t have time to read but still want to hear Malcolm’s insights? You can find his podcast on the topic here.)

Government Technology Insider (GTI): When you don’t have enough cyber security people in your organization, what does that do to your overall risk profile? 

Malcolm Harkins (MH): Well there’s two ways to look at it. If you look at it in the traditional sense, it looks pretty bleak and it looks like you have a substantial risk profile. 

One of the thoughts I had a long time ago, when I was at Intel, was there was a security poverty line that existed, much like a societal poverty line. And there are organizations below that poverty line, either because they don’t have the budget, or they don’t have the skills.

On the other side of it though, when you think about what’s driving the job shortage and the labor shortage and the skills shortage, when you dig into the details of what’s creating the skills gap and the labor shortage, it’s been because we are too reactive. 

Most of the jobs out there that people are looking for are incident response, intrusion detection, intelligence, security information, security event information management – the reactive roles. So, when you look at data like the ISSA puts out and the Enterprise Strategy Group put out in 2017, the data says that by and large most of the organizations say they’re significantly impacted or somewhat impacted by the skills shortage. Close to 70 plus percent of organizations report that. 

But again, when you dig into the details of how it’s impacted the organization they go, “It’s workload, it’s training.” It’s because we have not adequately solved the problem up front. And, when you look at the job types that are missing, it’s weighted towards reactive jobs. And what we’ve got to start doing is shifting towards the proactive, preventative jobs. And if we did that we wouldn’t have a labor shortage.

So, the other way to look at it from a positive perspective is, if I were a Chief Security Officer or Chief Information Security Officer and I was limited in the people that I could hire, my way to deal with that is to have a stronger preventative control architecture and therefore I need less people to react. And so I could also look at the skills shortage as an opportunity to re architect and reinvent the approach. 

GTI: It sounds almost as if organizations feel like they don’t have enough ‘police’ or ‘firefighters,’ as opposed to thinking, “How do I deal with the realities of the situation, not just by throwing more and more defenders on the frontline, but thinking about my entire security risk profile?” 

MH: Exactly. Because, think about it, technology exists to connect and enrich lives. Technology exists and automation exists to get more efficient and effective, whether it be running a factory whether it be sales … all technology is meant to provide efficiency and effectiveness for organizations. And so, when we have a labor shortage it says the security tools that most organizations have, have not been efficient or effective. Hence, we have the increasing workloads. 

You know the the Security Operation Centers, which is probably the majority of the headcount in most organizations — they’re dealing with alerts and they’re getting alert fatigue and they’re getting drowned with more and more alerts and that’s leading to what I call Detection Deficit Disorder. Because when you’re fatigued with the alerts, you can’t figure out what’s relevant and what’s not. 

You know, think of the Target breach. They had the data, they had the alerts — they were drowning in alerts and so therefore they didn’t act on it. And again, that’s symptomatic of the control architecture as we have, which is fueling the risk cycle, which is fueling the labor shortage. 

GTI: That sounds like an issue with big data in general. You can have a ton of information but if you can’t analyze it and then act upon it, then the value of the data really is limited. And this speak to the labor question, where you’ve got quality versus quantity. If you’ve got large numbers of people and, considering that a number of these cyber engineers are going to be newly certified, have you created its own kind of risk? 

MH: To some extent perhaps, because as you get new entrants into the labor market they won’t be as seasoned. But on the other side of that, it provides an invigoration, an innovation cycle — a workforce that’s hungry and innovative and, hopefully, innovative enough that they’ll want to transform the work they’re doing, transform the control architectures and, hopefully, with that new crop of security professionals, we’ll be able to inspire hope and change that’s transformative rather than the crop of, I’d say, the vast majority of security professionals in a lot of organizations (who) just accept that compromise is going to occur. 

They’ve been habituated to being compromised because of the security solutions we’ve gotten from the industry and that’s kept us in this reactive mode. And sometimes you need new people, new blood, new thinking to stimulate the change that we need. 

Come back tomorrow to read Part 2, with more insights and advice from Malcolm on dealing with the fast-growing shortage of cybersecurity professionals.  Subscribe and get it directly in your inbox.