In part one of this blog series, I made the assertion that there is no cyber talent gap but there is a cyber experience gap. If we are going to resolve the talent situation, the professional needs to pick a direction and move uniformly (note word!) towards that objective. Last year, I tried to gently nudge the profession; now I’m blatantly throwing the gauntlet. To start this call to action, here are some tenets that I believe we need to agree upon immediately:
Tenet 1: Entry level positions have a starting experience timeframe of zero. An entry level position is one within which you gain experience and skills. By definition this means that these are jobs for which there is an expectation that a person will receive specific skills and training in order to perform the necessary job function. If you are advertising a position that has a low-end experience requirement of greater than zero, then you are advertising a junior (versus entry level) position for which you are trying to steal talent away from someone else who has taken the risk to train and educate your preferred candidate.
Tenet 2 - It is time to end the unicorn hunt. A friend of mine who runs a top-notch cyber talent creation program at a western university told me once of a situation where a CISO approached him to tap into his student talent pool for a new position. After sending his students to interview, the CISO declined to hire any of his students. When my friend asked what the issue was (“Is there something we’re not training the students in?”), he was told by the CISO that “we’re looking for purple unicorns.”
If all you’re looking for are purple unicorns then you are exacerbating the talent problem. Instead of hunting unicorns, we need to work on nurturing and raising a cadre of solid thoroughbreds.
Tenet 3: Basic skills are universal. Instead of looking for experienced purple unicorns, we need to start describing what basic skills you expect the entry level candidate to know in order to enter the field. I’m getting tired of listening to cyber professionals complain how candidates “don’t know anything” or “can’t do anything” whilst we remain self-righteous in our collective desire not to define the minimum necessary requirements and hide behind the myth of complexity. In my mind there are four basic skills that everyone must have (and be able to demonstrate) in order to be considered “trainable and employable” for an entry-level cyber position:
- An understanding of the principles of confidentiality, integrity, and availability.
- An understanding of coding structures. Note I didn’t say coding (though usually you need to code to gain this understanding); I said coding structures. To me, this means knowing how to logically flow code in order to solve a problem. While there are many jobs in cyber that don’t require a daily working knowledge of code, understanding how the code logically handles a problem is key to both creating a common taxonomy with engineers but also in ideating about creative solutions to tractable problems. The coding language itself is irrelevant; it's understanding the logical flow and how the code fits together that’s important. You don’t have to go to college or take a formal course to gain this knowledge. Python is free and there are lots of open compilers as well as self-paced learning modules on YouTube that can teach this skill. The success measure is that the candidate, given a flow chart template, can diagram the logic necessary to program an automated solution. This also demonstrates attention to detail and logical thinking – both great skills for a cyber professional to possess.
- Critical thinking skills. We keep talking about the importance of this skill but we don’t really spend time developing or looking for this skill amongst the candidate population. Security, at its core, often requires figuring out how to make lemonade out of two apples, a grapefruit, and a kumquat. Having the mental acuity and flexibility to “think outside of the box” (or, even better, recognize that there is no box) is a critical skill set in our profession.
- An understanding of the OSI model, to include:
- The basic functions of each layer of the model;
- The types of attacks that one can expect to see levied against each layer;
- How these attacks work;
- 1-2 methods of preventing these attacks from being successful.
Don’t like this list? Great! Let’s have the dialogue and create one we can all agree upon. Too simplistic for you? Also great, provided we hard-rally behind an existing framework (such as the NICE framework) to a point where (a) we refuse to post jobs whose requirements and responsibilities do not map to these documents; whilst (b) not forgetting Tenet 1 above.
Tenet 4 - Interview for what you’re looking for. Organizations using standard interview tropes and formats are just as myopic and out of touch as those who insist that “technical interviews are all that should matter” (to the latter population: having great technical prowess and an inability to communicate or function as part of team make you less than optimal for a majority of the non-entry level positions out there). If the skills listed above, for example, are considered essential skills for entry level candidates then let’s interview for those skills! Test knowledge of the OSI layers as part of the interview; have the candidate do a code flow test; and test critical thinking by presenting the candidate with a Kobayashi Maru-like problem to solve. The answer to the latter is less important than understanding the candidate’s thought processes (and their ability to express those processes) to the interviewee. Note that the next step in the interview would be to vary the parameters of the problem and see what the candidate does / how they react.
Tenet 5: You’re going to spend money one way or another; you get to choose where, when, and how. You can either:
- Choose to spend money on your recruiting efforts as you continue to have difficulty finding people and placing them; or
- Choose to spend money on taking in passionate people; training them (with specific pathways and in partnership with training organizations and/or higher education partners); and providing them with clear career advancement pathways.
The profession tends to espouse the importance of doing the latter whilst spending its money and resources on the former. Worse, larger companies with deeper pockets tend to worsen the problem. I’ve often heard large company cyber leaders state that they “will just outbid others on talent.” This model cannot sustain; it sets unreasonable expectations for compensation and makes it harder for mid-range organizations to afford cyber talent.
As a profession, it is time we started to look at the talent problem strategically as well as operationally and tactically. This means looking at talent growth and sustainability in the longer term as well as the immediate term. Failing to do so may signal the death knell of our profession as a profession.
So…what are we going to do about it?
Gauntlet thrown, folks. Time for the profession to pick it up and accept the challenge.