Hunters and Toolmakers: Seeking Infosec Wizards
Tech Skills Aren't Enough; Ability to Write is KeyThe United States has nearly 1 million people who call themselves IT security professionals, but only about 1,000 of them are what the SANS Institute Alan Paller characterizes as hunters and toolmakers: experts who have deep knowledge and can, for instance, look inside an iPhone and know where to find its vulnerabilities.
"You have 999,000 people who can talk about it, and about a thousand who are extraordinarily skilled who may actually help us win the battle," Paller said last week at an RSA2011 IT security conference session on the U.S. Cyber Challenge (see video Searching for the Good Hacker) he co-hosted with Karen Evans, U.S. Cyber Challenge national director (see video Why the Cyber Challenge is Needed).
When experts bandy about the estimate of 10,000 to 30,000 highly skilled IT security experts the nation needs to truly secure its digital assets, they're referring to hunters and toolmakers and not the vast majority of IT security specialists - though important - who run operations and decide policy.
The U.S. Cyber Challenge offers programs to encourage high school and college students with a knack for computers, mathematics and science to consider careers in IT security. No doubt, as a nation, we need more people with so-called STEM skills - science, technology, engineering and math - to become those hunters and toolmakers. But increasing payrolls with technical whizzes won't help if these hunters and toolmakers can't communicate their wizardry to others.
"It's frustrating to me when I get a new person who can't write a white paper about a vulnerability," a manager working for a unit chief information security officer at the Department of Homeland Security said at the RSA 2011 session.
Though not the top skill, the ability to write is recognized as a key competency by subject matter experts who provided critical insights to the Office of Personnel Management, as well as federal government employees and supervisors who completed surveys this past year that painted a comprehensive picture of cybersecurity work. Writing, as a competency, ranked higher than proficiencies involving computer network defense, security, leadership, creative thinking, security and awareness, among others.
The chart below shows that neither technical nor soft skills are deemed the No. 1 competency an IT security professional needs; integrity and honesty top of the list. This shouldn't be surprising; the GovInfoSecurity.com survey released last week shows that half of the government IT security practitioners polled see insider threats as their greatest vulnerabilities (see Gov't Infosec Pros Question Fed's Security Resolve). You want honest people with high integrity to work in IT security.
The characteristics defined in the OPM study aren't just for hunters and toolmakers, but for the other 99 percent of cybersecurity specialists, as well.
What the OPM study shows - and the concern voiced by the DHS manager - is that technical prowess alone won't suffice. Finding those 10,000 to 30,000 hunters and toolmakers is becoming more of a challenge.