Ean Meyer is a Course Director with Full Sail University, teaching the next generation of engineers about information security. He has experience in PCI, SOX, intrusion detection and prevent systems, information security program management, penetration testing, and social engineering/user awareness training. Ean has a B.S. in Information Security and an A.S. in Computer Network Systems.
OPAQ: What are a few reasons why security skills are lacking in the workforce?
EM: There are two main problems in the higher level discussion about the skills gap. We have focused too much on passing tests and not critical thinking and history and engineering. Information security is about thinking outside of the box: you have to think like a hacker. The second challenge is that academia has a tendency to be behind the curve. In some colleges you have to pass electric engineering to get into the network security course. That’s a major barrier for people who could be excellent network engineers or security analysts. It doesn’t make sense. I am a big believer that the skills gap can be solved by a trade school and real world education approach. People aren’t going to enter the workforce into environments where it’s all brand new technology, except for maybe at startups. In large organizations you’re going to have a lot of legacy technology, so teaching the history of that and learning how to deal with those challenges is part of the skills gap issue.
OPAQ: What skills are most needed now?
EM: The top one is security analyst. These are people who can come in and understand the environment quickly and provide value by teaching well-defined processes and when to escalate. There are lots of people from IT fields that know how computer infrastructure works and can be taught additional pieces of process they haven’t been exposed to yet. The second big one is cloud security architect. The cloud is not simply, push a button and it’s all good behind the scenes. For AWS, there are 1500 pages of security documentation. I’m also a big fan of understanding what is going on in social engineering—the con men just trying to trick people. I think security awareness training is a big opportunity. These trainers can help employees understand in plain language the real issues and how to protect themselves.
OPAQ: You recently wrote about a solution to the skills gap, involving the creation of entry-level security roles at companies. Tell us how this can work?
EM: One of the arguments is that you are not a security person unless you are a generalist at the peak of your career. But someone familiar with Microsoft tools could become a security champion. Let’s create roles where someone could evaluate a new vulnerability because they know all of the company’s IT systems. There could be new types of intern programs where someone could be in charge of real projects like patch management allowing them to learn and grow and stay on with the company. Interns are often brought on with no real goal. They aren’t learning or doing much and you aren’t getting much value from them. That intern could have a senior engineer overseeing their work and then you can grow the security workforce. You’ll also learn a lot because the person from the outside will see things you won’t see.
OPAQ: What kind of culture and processes are needed to support the in-house training and development of entry-level roles?
EM: The security analyst doesn’t need to program in C++. You can get a great analyst who can see the alerts on a dashboard and address them. They can learn how to code later, if needed. It’s not necessary to create an HR firewall requiring all these certifications and degrees to get a job in security. Job rotations are another idea. Someone who’s been on the database team for a few years could get invited to work on the security team for a few hours a week. That builds relationships and allows people to move more easily into a security role when there’s a need. I would also encourage directors to worry less about having to replace that database person and consider how that person is bringing institutional knowledge to a security role and can still be a resource to answer questions for the database team. We need to focus more on these cross-departmental relationships.