Meet Jeremy Leasher, Security Solutions Architect at Axellio. Leasher believes the IT security industry is undergoing a serious skills crisis, threatening to undermine the security of commercial and government organizations. Here, we talk to Leasher about the best approach to solving this skills crisis.
Security: What is your background and current role?
Leasher: I have been in the security industry for 22+ years serving in various roles for the commercial industry as well as the Defense department. I served as an Enterprise Security Architect for two large technology companies and as the Threat Hunt Lead for a large government organization. Currently, I am a Chief Warrant Officer 3 (CW3) in the Alabama National Guard serving as a Senior Security Advisor and a Security Solutions Architect at Axellio.
Security: Why is the IT security industry undergoing a serious skills crisis?
Leasher: There has been a large gap in the talent needed vs the talent available for the last 5-10 years. This is especially true for senior level roles within the security industry. Many of the seasoned security professionals are now retired or working in a role they will soon retire at and there has been very little knowledge transfer laterally among the junior professionals.
Companies such as SANS, EC-Council, CompTIA are doing their best to train the next generation of security professionals but they still lack fundamental education. There is a huge disconnect between training and education – on-the-job training is far more valuable than memorizing some questions to pass an industry certification.
Companies realized this years ago and decided to invest in technology as a safe alternative to the lack of human capital. Many security leaders in large companies also recognize that if they spend large amounts of money in training their people there is a good chance after 18 months and a few industry certificates under their belt, they will jump ship for other higher paying opportunities. Thus, this encourages the security leaders to invest in technology, as a server won’t up and leave.
There is a saying in the security industry that states “What if we train our people and they leave?” The response being “What if we don’t train them and they stay.” This is something the military has struggled with for years. They provide very good training for their personnel and then they leave the military because they can almost double their salary in the civilian sector. To address this, the military has been playing with the idea of paying their security people an incentive to stay in the military, which is very similar to how they incentivize the lawyers, doctors and other critical skills.
Security: How does this issue threaten to undermine the security of commercial and government organizations?
Leasher: Our military knows that some of our biggest adversaries (North Korea, China, Russia, etc.) recruit and train their younger generations to become hackers who want to target the U.S. Cybersecurity has become somewhat parallel to other blue-collar industries, i.e. electrician, plumber, or even a school teacher. There is no sense of urgency or pride of nation to protect the U.S interests against foreign/domestic enemies. We need to recruit our young people to learn and enjoy the security space instead of hoping for a Division 1 scholarship to play sports. Opportunities in the U.S are far more available than other countries which is counterproductive to our current security skills problem
Security: Are companies becoming way too reliant upon technology and not spending enough time training the cyber workforce?
Leasher: Absolutely. Companies now have many different avenues to transfer risk of not having a large security talent pool. Things like cybersecurity insurance policies are still relatively new and are not a mature fix for human capital. Security in the commercial industry has now become “someone else’s problem,” meaning that most companies opt to pay someone else to manage their security footprint.
Large Managed Security Providers (MSP) or Managed Security Service Providers (MSSP) have emerged over the last 10 years to help offset the cost of a company doing it internally and racking up large debt.
Security: What is the best approach to solving this issue?
Leasher: We have to reengage our young people at early ages to become interested in Cybersecurity. There are kids that now get enjoyment out of watching other people play videogames online and its BIG money. I think a lot of security professionals feel like they are on an island and there is no sense of community in many cases. The gamer community is huge and still attracting millions of users/viewers.
There also should be a huge push for education vs training. We are now seeing universities make cybersecurity degrees a part of the norm but it’s going to take another five-10 years to get well-rounded security folks through this pipeline and available to work in the industry.