The controversy generated by my article in DarkReading was not entirely surprising.

"How the Skills Shortage is Killing Defense in Depth"

Some insist that there is no security skills shortage. But I insist that they are wrong, based on my experience in the field over the last three years. Many times I will get invited back to see a customer I’ve seen before. When I get return, I find that some of their security people have moved on. One of the major credit card companies had a brilliant Directory of Security with an impressive threat intelligence team. When I came back a year later, he had been poached and taken the half the team with him. The other half of the team was junior and demoralized. I’ve seen it happen with other teams as well.

CSO Perspectives (Sydney)

Last fall at CSO Perspectives event in Sydney, I sat on panel in front of an audience of about 200 CSOs and Security Directors. Throughout the day the skills shortage kept coming up, and finally I asked for a show of hands to see who was suffering from it: nearly every hand raised.

Infragard event, Florida

At an FBI Infragard event in Florido (your moderator in white), an audience member put for the question about the security skills shortage. Ken Athanasiou, the CSO of AutoNation replied:

"Your propeller head infosec techie that can crack packets wide open is more important than any tool you can buy.” says Ken Athanasiou, CSO of AutoNation. “If you’ve got someone like that make sure you keep them happy.”

So to the naysayers who claim that there's no shortage, I beg to differ. The problem we have is how do (or how can) we solve the shortage?

Some argue that if IT paid higher wages, more people would be attracted to the field. These market forces can work for some fields, but Security isn’t one of them. Security, as a practice, is more difficult to train. It takes a special mindset. Some would say that it takes a kind of paranoia.

And that special paranoia requirement means that only a subset of the people you’re looking for can even be trained in the way of the hacker. For the young people who want to get involved in information security I have three recommendations:

  1. Join the local OWASP chapter.
  2. Dive into the tools
  3. Attend a security conference

The OWASP web site is a great place to start learning about application security. There are local meetups all over the world to attend. And membership in the organization isn’t mandatory, but at any rate is only $50.

Getting started with the security tools, both offensive and defensive, is a very hands-on way to gain quick experience at home. The OWASP site has HOW-TO articles for WebGoat and other fun tools.

Finally, attendance at a security conference can be the best, and most fun, way to get into the field of application security. When I was just starting out, I attended one of the few hacker conferences at the time: DEF CON. I was blown away by the hacking culture and spirit of information sharing among the community. DEF CON is still the premiere hacker con but it has stayed true to its roots. The fee is a mere $200, enough so that newbie script kiddies can just jump in the car and drive out to Las Vegas, spend four days soaking up the culture and come home with a head full of ideas about what to do next. For people who can’t make it to the conference, the new DEF CON YouTube channel has the talks online.


From my wide experience, I believe it is real. See the DarkReading article for statistics. See OWASP and DEF CON for the way forward.