Jimmy Sanders has a long list of work to do, so he wants a security team that can handle the multitude of tasks ahead – from advancing his company’s zero-trust security strategy to securing its cloud deployments to deploying machine learning solutions. Team members must be able to do all that at scale, as well as shift gears and upskill as quickly as business needs shift, technology evolves and security risks change. In fact, Sanders puts “comfortable with change” as one of the most in-demand skills for 2021, alongside internal drive and the ability to be self-directed with work. It’s a lot, he admits.
“The people who can do all that is in super high demand,” says Sanders, head of security for Netflix DVD and president of the San Francisco chapter of the Information Systems Security Association (ISSA).
Indeed, the demand for cybersecurity talent continues to outpace supply. A July 2020 report from the ISSA and the Enterprise Strategy Group (ESG) found that 70% of ISSA members believe the global cybersecurity skills shortage has impacted their organization, while the 2020 (ISC)2 Cybersecurity Workforce Study found that 64% of responding security professionals experienced skills shortages within their own organizations. Such statistics only tell part of the story, though. Security leaders say there’s not only a shortage in the number of qualified people working in the field, but it’s also challenging to find the needed skills among the existing pool of security professionals. That’s not surprising, considering the lengthy list of desired skills needed today. In fact, security professionals need more than a single certification or even experience with a few key tools. Increasingly, they need the right combination of multiple security skills alongside technology, business, and interpersonal skills, as security jobs morph into a hybrid of roles that span different disciplines.
“There’s a shift away from people in security who do one thing, and only one thing, well. There are too many threats and too many opportunities for systems to be comprised that you can’t be an effective security professional without a broad base of knowledge,” says Will Markow, managing director of Burning Glass Technologies, a labor market analytics firm, which issued a 2019 report on the hybridization of job roles. The most in-demand security skills for 2021 reflect this trend, with security chiefs saying they need people who can pull together expertise in the various sphere to meet the emerging security and threat environments as well as overall business requirements.
Here are the 10 areas where skills are most in demand for the year ahead — and why:
Risk identification and management
Jorge Rey, CISO for professional services firm Kaufman Rossin, wants security workers who understand both the company and its industry, which is why he values the low turnover rates within his department. He says veteran staffers bring the business insights he needs. And that insight, when combined with technical acumen and cybersecurity experience, helps them identify which threats pose the greatest risks to their company so they can effectively allocate limited resources to deliver the best protection.
“The best way to mitigate threats is to understand the risk,” he says, “so we need people versed on governance and strategy who can then determine the best solutions, who can find the right technology or the right outside provider or build the right capacity in-house.”
Others also put risk management high on their list of desired skills for 2021, with Burning Glass listing it as one of the security skills seeing the fastest growth in demand over the upcoming five years and one that could earn professionals more than $10,000 a year in premium pay.
“CISOs need people who can take a risk-based approach to build a secure digital infrastructure,” Markow adds.
CISOs are also looking for people with overall technical skills, noting that they can’t understand risk and develop security plans for a digital world without understanding the IT components that make up the infrastructure.
“Programming skills, system administration skills, and network skills are all required and necessary to have … because security skills are worthless without foundational knowledge to build upon,” says Matthew Rogers, CISO of tech company Syntax.
Consulting firm PwC likewise identified technology acumen is critical for security professionals, listing knowledge of “digital building blocks” as one of the three critical areas of expertise (digital skills, business acumen, and social skills) needed for an effective security program. As such, Joe Nocera, principal, and leader of the Cyber & Privacy Innovation Institute at PwC say security chiefs want staffers who understand architecture as well as logging, monitoring, identity management, and authentication in addition to expertise around specific business and security solutions. Jack O’Meara, a veteran CISO now serving as a director on the cybersecurity solutions team at Guidehouse, a tech advisory, and outsourcing firm, agrees. “I want to make sure people have hands-on expertise for the specific technologies I’m deploying. They have to have an understanding of how the technology works because if they don’t, they’re never going to understand how an attacker can exploit it,” he says.
Data management and analysis
The security department is one of the biggest generators of data within the enterprise, and in many organizations, it’s becoming one of the biggest consumers of data, too, as it seeks to use the information to drive more effective and efficient protection strategies.
“They’re looking to make sense of the massive amounts of data they have, and the tools only go so far,” says Brandon S. Dunlap, a leading partner for security and risk management at the tech research firm Gartner, adding that he’s seeing more CISOs hire data scientists, data engineers, and data officers.
Organizations are increasingly moving beyond DevOps to DevSecOps, seeking to add security considerations into the application design and development phase to ensure more secure apps. That requires security people with development and operations knowledge and experience.
“We’ve learned over the past few years that where security risk really sits is in the application itself, so we need to have the software developed with security integrated right from the start,” says Jeffrey Weber, executive director of the IT staffing firm Robert Half Technology. Burning Glass lists application development security as the No. 1 fastest-growing skill, with expected demand to increase 164% over the next five years.
The widescale adoption of cloud, and especially the increasing embrace of a multi-cloud strategy, has increased the demand for security workers who are experienced in cloud deployments and can marry that with the enterprise security strategy. Rey, for example, says he wants team members with expertise on one or more of the public cloud platforms (AWS, Azure, Google) as well as private cloud architecture. “When I think about cloud security, it requires a bit of knowledge about everything; it’s about developing a secure network within a cloud environment,” he says.
In its 2020 report, The Life and Times of Cybersecurity Professionals, ESG says enterprise security can use automation to help address the cybersecurity skills shortage. Experts concur, explaining that automating repetitive tasks creates efficiencies and boosts effectiveness while shifting valuable employee time to the complex work that only humans can do. Automating security functions, though, requires security workers skilled in actually implementing automation solutions. Rey is among the CISOs who believe automation can help close the skills gap, saying that automation skills “should be embedded in anyone who is in IT or security.” He wants people who are able to identify tasks that can be automated as well as can do the automation itself, using Python, PowerShell, and other scripting languages to make it happen.
Threat hunting is a relatively new security strategy that is gaining widescale traction. According to a 2020 survey from security solutions maker DomainTools, 93% of organizations said threat hunting should be a top security initiative to provide early detection and reduce risk. The growing interest in, and implementation of, threat hunting practices is driving demand for the right combination of skills needed to do the job. Burning Glass lists it as the No. 4 fastest-growing in-demand skill. Rick McElroy, the principal cybersecurity strategist at security tech company VMware Carbon Black, says it takes analytics skills, understanding of the MITRE ATT&CK framework or other such methodologies, knowledge of the enterprise technology stack (so “they can tell when something ‘wonky’ is happening”) and intellectual curiosity to probe for problems. “They have to think like an attacker; they have to wonder, ‘How would an attacker bypass my defenses?’” McElroy says.
The cybersecurity function has become not only more critical with the rise of the digital economy, it has become more prominent as well. That puts security professionals in front of the C-suite, board members, and employees with greater frequency. So, they must be able to collaborate, communicate, and consult with these various stakeholders, making those and other interpersonal skills a hot commodity. “It’s almost a sales function, to be able to present to all different levels of the organization to impress upon them what they need to do to protect the organization,” says Gary Todd, associate director of cybersecurity for the energy firm PNM Resources.
HP CISO Joanna McDaniel Burkey wants workers who understand the business, who speak in business terms, and view themselves as business people as well as technologists. She says security professionals need such skills so they can help manage risk, which is the prime objective for the modern security team. Security professionals must help their organizations balance security with costs, market demands, and other business metrics. “I talk about it as ‘polarities to manage’ versus trade-offs,” she says. “We need to see both sides of issues, we need to put ourselves in their shoes, so we can co-create well with stakeholders.”
According to the 2020 (ISC)² workforce study, 30% of respondents saw their organizations move to a remote workforce in just one day as a result of the COVID-19 pandemic, while another 47% had just several days to a week to make the shift (only 16% had more than a week.) Experts don’t anticipate such rapid workplace transformations to become the norm, but they do expect the pace of technology and business changes to continue accelerating. Security needs to keep up. “COVID brought in a whole new set of scams and attacks and way of working,” says E.J. Widun, who as CTO of Oakland County, Mich., works with the security team. “COVID showed we need people with the ability to adapt, and to adapt fast.”