By 2021, there will be 3.5 million unfilled cybersecurity positions.
To anyone working in this industry, it is pretty far from breaking news. Even before the Herjavec Group released their 2017 jobs report, we could begin to feel the squeeze of the talent shortage: job openings started taking longer to fill, you started receiving more persistent emails from IT recruiters, and it began to cost more to keep your talent in-house. Many schools have countered by incorporating computer science and cybersecurity classes into their standard curriculum in an effort to stimulate interest in the field for future generations. While this is a long overdue and commendable evolution, it’s also a long play for a very immediate need. Many of those directly impacted by this initiative won’t be ready to enter the workforce for at least a decade, if not two, and we need them now.
This problem isn’t going away anytime soon.
Cybersecurity was, for a long time, strictly an IT field. It was a shadowy world filled with hoodie-clad figures for ‘nerds’ and ‘computer people’ to worry about. The only time cybersecurity left the confines of windowless basements and Reddit threads were for appearances in Hollywood documentaries such as “Hackers” and “The Net”. This all changed with the advent of smart devices and the Internet of Things (IoT). IoT devices made the world more productive, connected, engaging, and informative. However, IoT also turned consumer information into a virtual playground for data thieves and other malicious actors. As critical pieces of our world became more connected, hacking went from backroom cults to well known organized crime groups and nation-state actors, with a host of script kiddies generating easy profit using variations of their work. These widespread campaigns targeted everyone from consumers and hospitals to businesses and schools who had purchased a wide-variety of new technology while taking an ambivalent stance towards security. Data breaches became part of the regular news cycle and people began to lose faith in companies ability to keep their personal information…. well… personal.
So businesses and governments did what they do best, they started throwing money at the problem: salaries began a steady upswing, spending on cyber defense broke $100 billion, and we saw cyber-centric firms acquired at an unprecedented pace. Although you’d never know it from the panic inducing news cycles, it’s actually working; things are getting better. We can see it as more incidents are detected internally instead of waiting for law enforcement notifications, Pastebin dumps, or dark web sales. We’ve also seen incident response times consistently shortening and overall lifecycles compacted. Above all, the biggest improvement is the serious discussions we are having, at all levels, about the security risks to our environments and how they impact business operations.
As important and commendable as these advances are, they could all be quickly derailed by a lack of competent and capable security professionals to carry on the fight. We are reaching a crisis level, industry-wide, talent shortage that bears consequences at all levels: more MSPs are pushing overpriced and underwhelming ‘AI’ and ‘Machine Learning’ solutions they promise will replace the personnel we can’t find, industry veterans are burning out as they hopelessly try to match the frenzy of attention, and executives are increasingly appointed to security leadership positions for which they are unqualified or uninterested in properly fulfilling.
So how do we solve or minimize this staffing shortage until the next generations are ready to go? Let’s start by dropping what we think we know about the people we need.
Strength in Diversity
We need to build diverse teams to combat security threats. When I say diverse teams, I’m not talking about just gender, political, or racial diversity either. We need a comprehensive set of people with backgrounds, personalities, thought processes, and professional skills spanning the entire spectrum. I’ve had the incredible good fortune of receiving personal guidance and professional mentoring from industry innovators whose background skills were, quite literally, all over the map. From a military intelligence analyst and Army interrogator to a business leader and motivational speaker, none of whom had the typical resume you’d expect of a cyber professional. But they each took their unique blend of experience to find a, sometimes niche, application inside a cyber domain that has quickly become entrenched as an integral piece of every other domain. Where do these people come from and, more importantly, how do we find them? Currently, over 80% of the people on my team have never held a cybersecurity position before joining our operation; some of them, also had no professional IT experience or zero certifications. Even with this lack of experience or credentials, I brought them on because they all possessed the 3 traits I look for and that each of my mentors utilized regularly.
As obvious as this seems, it is quite regularly overlooked or poorly quantified when evaluating technical staff. Let’s search for people that can display or explain the setbacks they’ve experienced, personally, or professionally, and what they did to overcome them. Cyber defense is a constant battle that has no end in sight. All too often, we have seen cyber professionals turn to abuse of artificial stimulants and recreational drugs just to keep up with the intense and unforgiving demands of the industry. We need people who can persevere when the going gets tough and who let nothing stop them from achieving their goal. These people won’t give up when they get overwhelmed and won’t let the proverbial brick wall inhibit their progression. I once interviewed a woman, who had spent most of her life in business analysis roles until she took several years off to be a stay at home mother. After a while her husband left her with a teenage son and a derailed career, so she decided to pursue a cybersecurity degree and begin finding a job. Predictably she had trouble finding an entry-level position willing to give her a chance, so she worked at Starbucks to make ends meet and kept applying. When she joined our team, you could immediately hear and see her passion for the work. However, when she first started, she struggled to pick up the fire hose of terminology, processes, and ideas central to nearly every security operation. Despite this initial setback, she never lost the determination and will to succeed that set her apart from everyone else, she just kept pushing harder. This intense determination paid off, as she’s still on the team and is now one of our most reliable and responsible staff. Her determination has allowed her to leverage her experience in business analysis to improve a number of our existing processes, develop her technical writing skills, and create value in an industry that was completely new to her.
“Determination that just won’t quit — that’s what it takes.” – A. J. Foyt
Those who possess an inherent curiosity often find themselves drawn into the cybersecurity field as it provides an endless number of questions for those who love to ask them. We repeatedly see the individuals who consistently and constantly start everything with “Why?” are always learning something new, challenging processes, and unafraid of failure. These people hit the ground running and typically establish themselves as organizational rock stars in short order. The best part, it’s usually pretty easy to spot innately curious people with even a short conversation. The most curious individuals read a lot, enjoy talking about ideas and concepts, and are as interested in how things work as the things being produced. Ask a truly curious person about their passions and the previous positions they’ve held, you’ll often get back a slew of things they’ve done over the past few years that fall outside (sometimes well outside) of the typical job scope or field. One of the members of my team worked at the front desk for a large hotel, he had zero formal IT experience but had been recommended by a colleague who knows what I look for. What started as a simple question about what he did at the hotel, led into a list of everything from audio/visual support and working with event coordinators to card reader maintenance and network troubleshooting. He had quickly become bored sitting at the front desk, and his innate curiosity led him to keep learning new things until he was integrated into nearly every facet of the hotel operations. He joined our team and asked question after question throughout his training as he soaked up this whole new world. During his training, he decided to teach himself python (because he had an idea) and proceeded to write several automation scripts that are still in use today. Curious people don’t wait for innovation and progress, they create it.
The important thing is not to stop questioning. Curiosity has its own reason for existing.” – Albert Einstein
We need people who are not only good at solving problems but enjoy it. Cybersecurity is a relatively young industry, and technology is changing almost faster than we can keep up. One of my mentors, and a very good friend, is a psychology major who spent time in the Army working with human intelligence operations. I still distinctly remember the first time I saw him come up against a very complex issue; his eyes lit up, and he splashed it up on a whiteboard talking it out as he went. Once he felt like he understood the problem, he sat down at his computer and maintained a gleeful focus for several hours as he worked it through. To him, problems aren’t problems, they are simply questions that must be answered. He enjoys the hunt, the thrill of testing each new hypothesis until he finally finds a solution that works. He calls his problem-solving process “going down the rabbit hole” and we all know what it means, and it is beautiful (and productive) to watch. His work repeatedly revolutionized the way our organization operated the SOC as well as our approach to incident detection, malware analysis, and security outreach. These types of people are the ones you can simply point in a general direction and let them go. We can find these people by asking about problems they’ve identified and solved in the past, issues they’ve overcome, and problems they are currently working on. One step further, ask them to describe their problem-solving process and how they get from Point A to Point B. Problem solvers often show themselves right away with the passion in their voice and light in their eyes as they describe what they probably view as fun.
“You don’t hire for skills, you hire for attitude. You can always teach skills.” – Simon Sinek
Many successful cybersecurity personnel posses these same three qualities, but not all those who have them hold the lengthy resume we’ve been all but conditioned to look for. Some of them may not have even considered a career in cybersecurity or they are likely just starting out and won’t have a laundry list of certifications, degrees, or professional experience. Keep in mind, these people will not always be external to your organization. Many skills from other positions apply or can be re-branded towards a cyber focus. Often you can find these traits in other divisions of your organization and can save yourself the cost and risk of a new hire. If we start by letting go of the cyber professional stereotypes and take the time to dig beyond the resume we can find these people, give them a chance, and build them to plug the rapidly expanding talent gap.