Cybersecurity’s Disastrous Game of Chicken
There’s no defined pathway for a cybersecurity career — here’s why that’s a problem, and how to solve it.
Blog Post
July 13, 2017
Not too long ago I presented at my first Meetup focused on cyber careers. The more than 30 people in the audience were mostly men of all ages (more on this below), with backgrounds ranging from from first-time students to transitioning IT professionals. Some were frustrated that the time and money they spent to get a cybersecurity degree hadn’t resulted in any significant job prospects. Others knew they were interested in “breaking into” cybersecurity but didn’t know where to start or what part of the industry they should even pursue.
Unlike professions like medicine or law, cybersecurity still lacks an established set of skills, degrees, and qualifications that define what a career in the industry looks like. The result: confused candidates and frustrated employers who struggle to reconcile paper qualifications with the skills they really need in their workplaces. In my own career I’ve interviewed lots of candidates that had the relevant certifications, but they still couldn’t communicate tough technical concepts or demonstrate their ability to perform required job functions. The future of the cybersecurity workforce has turned into a game of chicken — who is going to move first and build a pathway — the supply (educators) or the demand (employers)?
It is time to end the game of chicken: It’s employers who need to take the lead to build this pathway by first defining their true needs, rather than continuing to rely on the outside world to solve their talent problem and hope perfectly qualified candidates show up on their doorstep. Training organizations, my own company included, are eager to develop, build, and deliver courses and programs that meet definable job requirements. I’d rather develop a training course that teaches students how to develop network and malware signatures instead of a generic security analysis course. In case there’s any doubt on the eagerness on the part of educators, take this into account: there are 217 universities accredited as NSA Centers of Academic Excellence in Cyber Defense and over another 50 dedicated to Cyber Offense. There are currently more than 85 cybersecurity-related certifications, ranging from the foundational to the highly specialized.
The future of the cybersecurity workforce has turned into a game of chicken — who is going to move first and build a pathway — the supply (educators) or the demand (employers)?
In addition to the obvious confusion and time-consuming process it takes for candidates to determine which programs best suit their needs and evaluate the quality of their choices, employers face a similar challenge on the other side. Not only do companies have to sift through this landscape and determine where to pipeline the best talent, hiring managers often tell me they more often get over-certified and under-qualified candidates. With no other structure in place, employers default to using trusted referral networks (a nicer way of saying “poaching”) and relying on the keywords their HR and recruiting teams default to when screening candidates, rather than actually hiring for the skills their organizations need.
This stratified, confusing landscape may contribute to another insidious — and dangerous — characteristic of the cybersecurity workforce: its homogeneity. Women and minorities remain vastly outnumbered in the field representing only 11% and 12%, respectively. Outside of gender and race, overwhelmed hiring managers also frequently fail to recognize or encourage the utility of interdisciplinary or “soft” skills that are useful in the industry. All of this behavior leads to an inability to draw in candidates with diversity of thought, experience,and perspective.
This stratified, confusing landscape may contribute to another insidious — and dangerous — characteristic of the cybersecurity workforce: its homogeneity.
Luckily, a new model is emerging in the cybersecurity profession that emphasizes the diverse, multidisciplinary, and fluid nature of the cybersecurity field. The National Institute for Standards and Technology (NIST), a group under the US Department of Commerce, has created a Cybersecurity Workforce Framework that provides an initial contextual understanding on the range of jobs and associated skills needed in key jobs. This provides the field with its first data-driven snapshot of open cybersecurity job positions and allows us to reimagine cybersecurity as a profession with both lateral and vertical career paths, just like medicine or law.
That framework is a start. The next step must come from employers that are uniquely situated to articulate the knowledge, skills, and abilities most needed in their cybersecurity roles. Once they do that, they may even begin to start training existing employees, saving money on expensive recruiting efforts.
Either way, more direction from demand will have a ripple effect on supply, enabling the K-12, University systems, and training community to create the most effective training modules and programs. Ending this game of chicken will leave employers, employees and society in a better position. Private sector — it’s your move.