Ning Wang, CEO of OffSec, discusses the ongoing cybersecurity skills gap and why diversifying hiring approaches will be key to rectifying it.
As cyberattacks become more sophisticated, the need for experts with the right skillsets grows. And yet, the cybersecurity industry is facing a massive talent shortage across the globe, which the ongoing pandemic has shone a spotlight on.
Ning Wang is CEO of Offensive Security (OffSec), which specialises in infosec training and penetration testing. She has more than 20 years’ experience in the tech industry, previously holding COO, CTO and CFO roles at companies such as HackerOne, Eucalyptus and Lynda.
Here, Wang discusses the cybersecurity talent gap, the gender gap and the skills that will be needed for the future.
‘As an industry, we can tackle the skills shortage by developing new ways of identifying those with the potential to do the job’
– NING WANG
Is there a significant talent gap in cybersecurity today?
Yes, there’s a talent gap in cybersecurity today – and it’s global. Cybersecurity traditionally has appealed only to a very specific set of candidates because it requires experience and knowledge in other areas, such as system admin, networking or application development, and people with a security mindset.
Doing security well is not just following the process and going through the motions; it requires people to be able to think critically and creatively. In the past, people would hope that they could find the perfect candidate who had the experience and knowledge in other related fields, and also have security experience.
Those profiles are few and far between. I think hoping to get the perfect candidates, coupled with the challenge of training and developing good cybersecurity professionals, has contributed to the big talent shortage we have in cybersecurity.
Is the gap more prevalent for women, do you think?
There is a well-documented lack of diversity in the tech industry. Specifically, there is an enormous gender gap; too few women pursue careers in technology, and even fewer rise to leadership roles.
Women face different challenges depending on their background and where they are in the stage of their lives. Working moms, single moms and someone early in their career have very different challenges.
To attract more women to the field, to keep more women in tech and to help more women in tech to succeed as leaders, we need different role models for women of all situations.
I’ve made it my own mission to make the OffSec community more inclusive by speaking with all of our women employees about their career aspirations and challenges, which turned into new ways to better support women and help them succeed at my company.
What are the most important skills the cybersecurity industry is missing?
What’s needed to actually secure environments in this challenging time is a shift in mindset. It’s not just that we need to make more training available to proactively address the security skills gap. That training has to establish an adversarial and persevering mindset among security professionals to combat today’s attackers.
Not every vulnerability is obvious. In order to secure the enterprise, defenders have to think like attackers and try harder every time they seemingly hit a dead end, proactively identifying threats before they impact the business.
At OffSec, we’re making it possible for anyone, from any background, to obtain the skills to become a cybersecurity professional. All OffSec courses are hands-on and practical, and significantly accelerate a student’s understanding of real-world networks, systems, web attacks and exploitations.
We challenge our students to try harder. This means developing a growth mindset of learning and trying new things, practising hypothesis-driven problem-solving skills, honing in on critical-thinking skills and overcoming unforeseen obstacles. Performing a security job in the real world requires this kind of mindset and all these critical skills.
Which skills will likely be needed in the future?
Getting hands-on experience is key. In order to prove you can offer something to an organisation that you’re working for, you’ll need to demonstrate that you can do the actual work for them. You have to show that you know more than just the theory in order to be taken seriously in the field. Obtaining a degree just isn’t enough any more, as hackers are evolving their techniques.
Additionally, the key traits of a great cybersecurity professional are the innate curiosity, perseverance to figure things out, creative thinking and problem solving. You don’t need to come from a technical background to have these characteristics. If someone portrays this set of traits, they are well positioned to learn the knowledge and skills needed to succeed in the cybersecurity industry.
An employer is looking for someone who not only can do the tasks at hand today, but has the potential to excel in future tasks. The best way to demonstrate that is to show the mindset with which one approaches in any given situation.
What would your advice be for companies struggling to hire cybersecurity professionals?
In order to attract more skilled talent, we should think about searching for them with a diversified approach and put additional efforts into recruiting more women and other minorities.
In addition, we should think about looking for people with the traits needed to succeed in security regardless of what they are doing in their day-to-day job or what fields they majored in.
At OffSec, we regularly interact with great security professionals that have degrees in chemistry, electrical engineering, philosophy or no college degree at all. In fact, a member of our technical staff used to work in the mailroom.
Many system admins become great security experts. As an industry, we can tackle the skills shortage by developing new ways of identifying those with the potential to do the job and training them.
What are the main things we can do now to overcome the talent gap?
At OffSec, one way we’re trying to achieve this is by introducing tools like Proving Grounds that allow those interested in cybersecurity to experiment and play around with cybersecurity exploit scenarios and techniques without necessarily committing to major training.
This is how we can expand the top of the funnel; by providing a way for people to have fun and mess around in cybersecurity without having to dive headfirst into the deep end of the pool. We need to get more people into the security talent funnel so we can nurture them, develop them and train them until they are ready to take a job in cybersecurity.
Why should someone consider a career in cybersecurity, in your opinion?
Cybersecurity is a big challenge facing everyone – governments, enterprises and every citizen on this planet. Doing something in cybersecurity allows one to not only make a good living, but also contribute positively to the society we work and live in.
Moreover, the possibilities are endless when it comes to choosing a career in cybersecurity and positions within the industry are very in-demand right now.