Everyone seems to think that there’s a lack of qualified security professionals, and that the reason is that there aren’t enough people entering the field with the required skills. There is a fallacy behind that thinking, though. People think that security is a stand-alone discipline, but it is actually a discipline within the computer field. Treating it otherwise is a mistake.
Most of the people who have been in the security profession for more than a decade, including me, entered the field without a cybersecurity degree. We might have certifications, but we don’t claim that those certs are the source of any expertise we may have.
My own experience is not atypical. In all of my years of working, as an employee or contractor, for the National Security Agency and other military and intelligence agencies, I never performed specifically what would be considered security work.
In fact, I didn’t even start out in the computer field at the NSA. I was an intelligence analyst who hated his job, so I applied to the computer systems intern program. In those days the NSA couldn’t find enough computer experts, and so it created a program to identify people with high aptitude for computers and trained them. Although I later became known for security expertise in the private sector, I was never given any security-specific training. Instead, I had years of on-the-job and formal training in good technical and operational practices. My later success in penetration testing was mostly built on detecting the absence of good practices, not formal training in how to hack systems or perform social engineering; I never had to used any advanced skills, given the woefully poor security I encountered. In other words, it was nothing like what happens in cybersecurity programs.
Of course, the NSA does have people whose work focuses on security, and like me, they moved into that area after learning about things like operations or networks; they didn’t start out in “security,” unless it was as at an entry level and under the tutelage of a senior person
The NSA isn’t alone in taking this approach. Other intelligence and military agencies, government contractors, the large banks and other leaders in implementing strong security programs focus on identifying people with the appropriate aptitude and related skills, then give them the formal and on-the-job training to competently fill security-related roles.
There’s a similar dynamic in every profession. We don’t hear about engineering firms bemoaning a lack of people with degrees in bridge engineering, or architectural firms complaining about a dearth of graduates with degrees in skyscraper architecture. The military doesn’t cry out that it can’t find recruits who are already trained in combat. Why, then, do so many government agencies and private-sector enterprises bemoan a lack of cybersecurity professionals? Here’s what makes me crazy about this: It does more harm than good to insist on more people coming to them with cybersecurity degrees; those degree holders are just never going to be as knowledgeable and competent as the security-focused professionals that organizations can grow themselves.
You would think that organizations would realize this, since they apparently pass over people with cybersecurity degrees all the time. I’ve spoken to dozens of people with cybersecurity degrees who can’t get hired because they don’t have the technical skills and abilities required for low-level positions. But bad as it is that cybersecurity degrees are not technical enough for entry-level security positions, they also are usually not technical enough for any entry-level positions in the computer field.
In any case, security positions are not entry-level positions, and if you treat them as such, you will have terrible security. The best security practitioners have experience in the technology and processes that they are supposed to secure. If you are not an experienced developer, you do not have the standing to tell people how to secure the code they write. If you have no experience as a system administrator, you cannot maintain the security of a system. If you have no experience as an administrator, you cannot secure a database. If you have no experience in designing a network, you cannot competently design a secure network.
Security professionals are developed over time, just as happens with experts in every profession, including all of the other disciplines within the computer profession: You are assigned a position that is consistent with your skill level, learn on the job and receive appropriate training. It is that simple. You can “create” a security professional by finding someone with the required minimum skills — usually a computer professional with several years of experience — and then having them learn the security-specific skills required through on-the-job training, mentorship and formal training. I mean, think about it: In many cases, firewalls have been installed and well maintained for years without the benefit of newly minted graduates from cybersecurity programs.
The approach that seems to prevail these days — seeking a new hire who already has the right skills and experience or hiring them away from another organization — just doesn’t work. But it is why so many people believe there is a shortage of security professionals.
I can promise you that a competent computer professional with five years of experience will be more effective than a new graduate with a cybersecurity degree. I’m not saying that training, including cybersecurity degrees and certifications, are without value, but they rarely are a match for hands-on work experience.
Instead, organizations should look internally for skilled computer professionals who, despite having no stated experience in security, can quickly adapt to security roles. Those people do exist, and their real-world experience goes a lot further than any number of certifications or degrees.
Sure, it would be great to have lots of people with the necessary security skills clamoring to fill your security positions. But unless you have a program to identify competent professionals within your organization and offer them jobs and training that will arm them with security expertise, you are creating your own cybersecurity skills shortage. Don’t moan and groan that these people do not exist when your organization is just too cheap or narrow-minded to look internally and offer training.
Forget about finding people with cybersecurity degrees. Forget about hiring hackers. Look for the people with a willingness to expand their skillset. I guarantee that you will stop complaining about a lack of talent, and your security program will benefit.
Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. He can be contacted through his Web site, securementem.com.
This story, "The myth of the cybersecurity skills shortage" was originally published by Computerworld.