Every year, ISACA and others report on the hundreds of thousands of unfilled jobs in cybersecurity. Various metrics, from how long it takes to fill a position, to the turnover of staff, are referenced and, in my experience, people often take away the wrong message.
What we hear, when people repost and share this data, is that there is a cybersecurity talent shortage. We need more university programs, high school programs – even elementary and preschool programs to draft talent at a young age and get them enthralled with cybersecurity. If we are going to have enough professionals to fill the ranks, we need to train legions of youth at an early age.
As someone who has spent over 20 years in the field, I see a number of misconceptions lead to this assumption. These are:
You need an alphabet soup of certifications, diplomas, degrees and courses to be a competent cybersecurity professional
This is blatantly false. That is not to say there isn’t value in the excellent certification programs put together by ISACA and others, and that there isn’t value in continued investment in your education. But as most of us who have been in the field for any length of time know, the vast majority of “old timers” in the field entered from either adjacent fields (such as IT, computer programming, criminology, the armed services, etc.) or even completely unrelated fields of study and work. These different backgrounds bring valuable perspective to teams.
Fewer companies are requiring degrees of any kind for cybersecurity roles; often, hands-on training or certifications are seen as equally valuable. But you don't need every credential out there – start with one from a well-respected organization that matches your professional needs and goals.
You need a decade or more of experience to be productive
Not only is this untrue, it is a dangerous assumption. The modern IT stack of cloud services, IaaS platforms, SaaS applications and remote workers as a mainstream pattern is a few years old at best. When I studied electrical engineering decades ago, I was told the half-life of our education was six years. Fast forward to today, and we see that we need to constantly update and refine our understanding in cybersecurity, adapt new best practices rapidly and ultimately develop a strong change management culture to be successful. Any organization standing still or relying on years-old knowledge will quickly be bypassed by threat actors.
Security is a title
Beware the job posting where companies expect the unicorn with 20 years’ experience, knowledge of both ancient technologies and modern ones, and experience ranging from SOC management to compliance to appsec. The problem is not only hiring teams being woefully disconnected from reality in terms of realistic skillsets and costs, but they also believe that if they can just hire said unicorn, all their security problems will be solved. The reality is that an organization-wide security culture and leverage of skillsets of a diverse team with diverse experiences is critical to addressing security in the modern organization. Any attempt to silo it off in IT, compliance or some small corner of the organization is doomed to failure, and the desire to be rescued by an uber technical security savior is likewise doomed.
So, instead of following these security anti-patterns, what do I recommend as successful approaches?
Recognize everyone has something to contribute
Not only are your “users” your best asset in defending your organization, interest in security and talent will hide in plain sight. Perhaps your executive assistant has a passion for social engineering, your developers can embrace appsec as part of their systems development lifecycle (SDLC) rather than bolting it on as an afterthought brought by an external team, and your finance department is the frontline in defending your organization from fraud. As I mentioned earlier, most of us old timers have entered via non-security fields, and talent and interest can be found everywhere.
Youth and diversity have value
The security mindset is the opposite of “this is the way we operate around here.” People with different life experiences and younger talent often will approach problems in completely unforeseen ways and can greatly complement a security organization. Nobody has decades of experience with 3-year-old programming languages, two-year-old cloud technologies or a 12-month-old SaaS platform, and so often your younger staff will rapidly consume these technologies and bring value to security conversations. I might be reluctant to teach myself machine learning with my busy schedule, but a young grad will have been immersed in it and understand how to apply it in productive ways. This can also be applied equally to older employees and career switchers, who have a different background and perspective but are new to security.
Coaching and mentoring are key
Of course, if you’re going to hire less experienced staff, you need to combine their enthusiasm and technical chops with organizational know-how and business strategy. If you combine hiring with mentoring and coaching, you can dramatically increase the impact of your hires and bring much-needed new knowledge into your leadership team. Mentorship done right provides value in both directions.
Interviewing and nurturing talent this way is different than simply stacking up technical challenges and certification gates and requires different organizational strengths. There is no talent shortage the way it is often characterized. To the extent it does exist, it exists in managers and leaders who struggle to see the human capital that already is present in the market.
Editor’s note: Find more Cybersecurity Month resources from ISACA here.
About the author: Michael Argast is an experienced cybersecurity professional with over 20 years of industry experience. He is the co-founder and CEO of Kobalt Security Inc., a rapidly growing cloud-focused security services provider. Kobalt works with over 100 cloud-focused technology companies to help ensure the security of their organization and cloud infrastructure. Kobalt’s experience across AWS, Azure, GCP and a wide range of SaaS services is unique in the security services industry.