I’ve spent the past several months blogging on the topic of careers in cybersecurity. My intent is to sort through some of the confusing (and often contradictory) messages out in the wild regarding what it takes to enter this highly rewarding profession.
Over the next several months, I want to continue this theme via a series of “open letters” to members of the cybersecurity talent development/acquisition/creation communities. Bluntly, it is my belief that we are collectively operating in ways that are exacerbating the talent shortage while simultaneously complaining about the issue. If we are truly going to make it better, we need to look squarely and honestly at these behaviors and decide whether we wish them to continue…
…and then live with the consequences of our decisions.
This first letter focuses on my fellow OSGs (Old Security Guys & Gals) out there, many of whom are sitting in CISO positions. In the case of the OSGs, our self-destructive behavior on this issue is our refusal to universally adopt a single standard regarding what knowledge, skills, abilities, and experiences (KSAEs) entry-level professionals should possess.
Every OSG I know has a well-formed-yet-specifically-vague opinion on the needs of the profession. Most of the opinions include the words “grit,” “tinker,” and/or “curiosity” somewhere before devolving into treatises about how organizations aren’t meeting the needs of our profession. Folks, I get it, believe me. Ours is a business of looking for attack forms that are not obvious and might be brand-new. We’re not as worried about the attack that has already happened as we are about the one that might be coming. Yet, unlike when we were coming up in the profession some 25 (30? 35?) years ago, there is enough data and evidence available to suggest which KSAEs would form a solid foundation for newcomers to the profession—a foundation upon which we can develop and nurture other talents and attributes as the new professional grows.
One example of this phenomenon: In recent months, I had the privilege of sitting down with several current and former Fortune 500 CISOs to discuss how to structure an offering for people seeking to enter the field. They had funding and the freedom to build any program that they wished. After several hours of back-and-forth around content, I asked the hard (yet obvious) question: “So folks trained in this program would meet your requirements and be eligible for entry-level positions…right?”
The collective response, after the awkward silence, was, “Well, not really.” After some continued gyrations around what would be needed to make these candidates eligible for entry-level positions, one of the CISOs put it plainly: “I’m not dodging your question, Kim; I’m deliberately not answering. And the reason I’m deliberately not answering is because I honestly don’t know.”
The other CISOs nodded in agreement.
There are some significant ramifications to this lack of definition:
- “Experience” becomes the differentiator…provided candidates acquire that experience elsewhere. While requirements remain nebulous for entry, there is some consensus about the need for “real-world experience” among candidates. The challenge, though, is to define (a) what that experience needs to be and (b) how to get it. If, for example, we want entry-level candidates for an analyst position in a SOC, we would love for them to have experience with the toolsets and technologies that the SOC uses. That said, how do we expect an entry-level candidate to get that experience if no one will hire them (even as an intern) to do the work? (And before you take the expected tangent on this topic: Students who have experience with either equivalent open-source tools or the actual tools via academia still are being passed over due to a perceived lack of “real-world experience.”) Worse: When an entry-level candidate has specific experience in one area (say, SOC operations) and the job posting is for an IAM role, many companies will not hire that candidate because their real-world experience is not specific to the job. It seems that “real world” experience in many cases refers to targeted experience in the specific job role/function for which you are hiring…which means your “entry-level” positions are not truly entry-level as you are looking for someone who has “been there, done that” tactically at least once before.
- We’ve created a disconnect between our desires and our recruiting practices. Many organizations are screening out entry-level candidates without at least a two-year degree, with a large number requiring a four-year degree (or better). There are infinitesimally fewer avenues for people coming up via non-traditional methods (such as self-learning, boot camps, crash courses, etc.) to apply for open positions with even a remote chance of making it to a screening interview. This, of course, is highly ironic since many OSGs eschew the value of formalized education as “lacking real-world experience and depth.”
I could go on and add a discussion of the negative impact that this approach is having on our diversity and inclusion efforts, but there is so much that needs to be discussed on that point that I’ll save it for a future blog.
I've never been one for pointing out problems without mentioning at least some potential solution paths, so here are my random thoughts as to what we ought to be doing to remedy the situation. Keeping in mind the only two things in the world that I know for certain—(1) my wife and son love me unconditionally, and (2) I could be wrong about everything else—take these as starting points that we can build upon. Here goes…
Put a stake in the ground as to what is needed for an entry-level position. There was a day and age where entry-level meant zero real-world experience. Given our continued lack of desire to create zero-experience positions, we need to be honest with the community and ourselves that we are looking for candidates with at least one year of cybersecurity experience before they are hired.
There are, of course, a couple of natural follow-up requirements for this position.
- Define what you mean by “real world” experience. For me, “real world” experience is a euphemism for “have you successfully done cyber work in as unstructured an environment as is legally and practically allowed?” To me, this can be anything from successfully participating in bug bounty programs to tackling learning-based tasks in a cyber warfare range to successfully completing highly unstructured labs within two- and four-year degree programs. It does not necessarily mean someone who has done the specific job function already. If you’re looking for someone to fill a specific role with specific experience in that role, you’re not looking for an entry-level position.
- Get serious about internship and apprenticeship programs. There is nothing more “real” than getting your hands dirty in real-world situations, yet many companies “don’t have the time” or people to create and execute high-quality internship programs. Stop looking for others to provide real-world opportunities for your candidates. Let your interns do the work and get entangled and learn. Yes, this takes time and energy—and, yes, it can potentially add liability—but in the end, it takes less energy to create that talent than it does to complain about it and respond to its absence.
- Get specific on KSAEs. Moving into screed-mode briefly, I’m truly tired of listening to OSGs explain what is missing from candidates and programs without them being able to specifically and concretely define what they are looking for in candidates. Much of our job is not prescriptive and is necessarily fluid; again, I know this. But there are foundational skills such as an understanding of protocols and services, knowledge of data structures, encryption, basic coding structures, and risk management that we ought to be able to agree upon as being foundational to the profession. The NICE Cybersecurity Workforce Framework and the Cybersecurity Competency Model are great starting points here. It would be incredibly useful for the profession to (truly) adopt these standards and mandate that all job descriptions conform to these requirements. If we don’t believe these requirements to be sufficient/proper, that’s fine. Create the standard versus continually complaining about the ones that exist.
The talent crisis we face is absolutely real, but we cannot keep attempting to solve it by an unfocused commitment to random programs attempting to address our nonspecific needs. If we are serious about solving the problem, let’s start by giving organizations and candidates clear guidance on our needs and what we are willing to do to support them.
My two cents.