Anyone who knows me well knows that I have a penchant for using lines and scenes from movies to illustrate my points. As I start this blog, the line that keeps flashing through my mind is from the James Bond movie, Doctor No. Bond and Felix Leiter are attempting to persuade the Quarrel to return to the villain’s island, Crab Key. When they recognize how afraid the fisherman is, Bond asks Quarrel for the navigation directions so that he may make the trip alone.
“Navigational directions? I gets my navigational directions from my nose, my ears, my instincts,” replies Quarrel.
Lately Quarrel’s line keeps popping into my mind every time I listen to my fellow professionals debate the cyber talent issue. The comparison is very accurate, and also a tad unflattering.
Last year, I penned an open letter to CISOs regarding our profession’s disjointed and unfocused approach to solving the talent gap. I argued in this missive that our lack of consistency and agreement on what was needed to enter the cyber profession was limiting our ability to close the talent gap. Further, this lack of agreement was causing people to spend inordinate amounts of time (and money) on activities designed to allow entry into the profession with minimal results.
To say that this blog post met with an intense wave of response would be an understatement. For several months, I found myself inundated with posts and comments agreeing with the problem and the need for a solution. I heard from senior cyber and IT professionals applauding my exposing of these challenges. People reposted and then commented favorably on the blog, proclaiming that “we need to fix” this problem.
More prevalent, though, were the moving (and downright heartbreaking) stories of those who had been confronted by this challenge…hard. The nurse who had gotten three security certifications yet couldn’t find a job. The person who had gone back to college to get a cyber degree only to be told that “degrees didn't prove anything” regarding her fitness to be in the cyber profession. The forty-something who — at the encouragement of a cyber professional to go to community college as he would “actually learn how to do something” — could not get that same professional to even submit his resume for an entry level position on his organization’s security team.
Above all else came the cry from so many about the hypocrisy of the profession. One person summed it up succinctly: “Every employer wants specific, focused, experience in a specific skill area in order to be considered for a position as long as we get that experience somewhere else before applying for a job.”
Our inconsistency around (and reluctance to define) the what and how of a cyber career has left many discouraged, if not disgruntled. As a profession we have presented ourselves as “talking a good game” without being collectively committed to concrete solutions to the problem. We surround ourselves with the mystique and complexity that exists in our field and use this as an excuse for not affording others the same opportunities we received when we entered this profession ourselves. Yet with the same voices we tout the importance of diversity (despite the fact the underrepresented minorities are the most harmed by inconsistency) and gnash our teeth at the 500,000+ jobs that remain unfilled in cybersecurity.
News flash, folks (and this may be hard for some of you to hear): there is no cyber talent gap. Rather, there’s a cyber experience gap that we ourselves have created because we’re too scared to take our eye off the tactical ball in order to edify and train a cadre of personnel to follow in our footsteps.
There’s a plethora of motion around this topic, but very little velocity. Remember that velocity is directional; it is speed in a given direction. It’s time we took ownership of the fact that we as a profession are principally responsible for creating the talent death spiral that we rail against. Then – and only then – can we make more significant strides to solving these issues.