Now, some might argue I'm being purposefully inflammatory here with a clickbait title, in the hope of generating a few thousand views. There is light at the end of this conspicuous tunnel so bear with me …
As an industry, there is undoubtedly a vast amount of hiring ahead of us that will require a huge number of people to fill the demand. As it currently stands, absolutely, there are not enough people to fill those roles, there is no denying that.
However - this problem doesn't stem from lack of people. It's from an overly risk-averse approach to hiring, and a narrow mindset around how we go about it.
For smaller organisations building their first ever security function, it's somewhat understandable. They're tackling a problem they haven't encountered before, with zero knowledge of the subject matter; so they look to find someone from their direct competitor who can bring that knowledge to them. Understandable. Fear of the unknown, get someone who's seen it all before. Fine. Bit like booking a wedding planner, best not to risk it.
But really, we know that’s not the case. 'Been to one wedding, been to them all'. SME's are facing the same cyber problems as the business upstairs and the company next door, regardless of the industry. They simply don't know what they don't know, and it's down to the information industry to help educate them that it's possible to solve the problem with people from all manner of sectors, not just their own.
The same can't be said for 'big business' though. The larger organisations out there, who still consider their security problem to be entirely unique, and that no-one has seen anything else like it is, are perpetuating a fallacy. Yes, there may be certain procedures or operations that are unique in some aspects, but I don't believe anyone is (to my knowledge) reinventing the wheel when approaching security. So why are we still so rigid in our hiring?
The answer stems from a risk-averse approach to hiring, which in turn stems from a risk-averse culture in general. We've all heard the various speakers at InfoSec events talk about a 'fail-fast culture', but I know from endless conversations with security professionals who I work with day in day out, that very few have cultures where it's genuinely ok to get things wrong. It's why organisations are looking for a hundred out of a hundred requirements to be fulfilled when going to market, and then find themselves wondering why they haven't hired nine months later. Risk-averse cultures are perpetuating risk-averse hiring, and it's holding the industry back.
Cyber is, for the first time in its existence, 'in vogue', forever in the media and now in the boardroom, but the barriers to entry are holding us back from riding the wave. Relying on perfect ten-out-of-ten hiring isn't going to plug the gap. To the dozens of CISOs who have told me of their ties to Royal Holloway and their plans to draw talent from there, I'm afraid to say, given the number of you with the same plan, unless they have begun successfully farming graduates, it won't plug the gap either!
There's an abundance of network engineers and infrastructure analysts with an itch they're ignoring around whether or not they should make a move into InfoSec. Then there are those who may not have that itch, but do have a negative view of security as a result of bad interactions in years gone by. Has there ever been a better time to change perceptions through a step change in behaviours and openness? Or, further afield again, to colleagues in Op Risk, Audit, or from elsewhere in the business, who see Cyber as an intriguing opportunity that’s close by but with no obvious channels through which to get involved or even begin to learn. Organisations need to take ownership of upskilling individuals who might not be the final product now, but can be turned into something close to the desired end state. There wasn't anyone with three JD Edwards roll-outs under their belt when the first instance came to market, but the result was achieved with an understanding of the fundamentals and a mindset around solving the problem.
Let's not also forget, if we continue to hire within sector, our diversity challenges will continue to loom. It's no coincidence that all of the 'UK Technology Fast 50' see diversity & inclusion as a driving factor behind their success (1). A roughly 11% female population in information security will remain 11% if we only fish within the 11% (2). Perhaps the person who does reinvent the security wheel will come from an obscure background and bring a different way of viewing the problem. No-one ever learnt anything listening to themselves.
Alternatively, we can continue to rely on our friends in the Big4 to plug the gap and provide an extra layer of risk-averse padding around the problem. They're good at what they do, don’t get me wrong - but they help us all in kicking the can further down the road. They're beginning to be spread as thin as the rest of the industry, and bring with them a culture that doesn’t necessarily align to your own. Their knowledge doesn’t stay at the end of the programme – it leaves, along with a significant chunk of your budget & emotional investment.
So why don't we put a greater emphasis on using their staff to up-skill ours? Using the highly-skilled contractor workforce out there to train people internally? Both are guns-for-hire, and will largely fire where you aim them - changing the onus from pure CapEx deliverables to a wider value-add in the people they interact with. I'm not suggesting this is the solution, but it brings us back to having to change our approach to education in the sector, barriers to entry and our risk-averse culture when looking to solve the problem.
I'll never get an Oscar nod if I don't round this off with a quippy quote. So I'll leave you with some Benjamin Franklin, the renowned cyber expert:
"Tell me and I forget. Teach me and I remember. Involve me and I learn.”
I think it's fair to say there's no shortage of people out there telling us about the cyber skills gap, and not a lot of learning ….