Director’s Cut (Q1 2020 Issue)

As I was pondering what to write about in this issue’s Director’s Cut, I jumped onto Twitter in search of inspiration. The first tweet I saw was from @BrianHonan (Hey, Brian!): “Guess I need to stop working in #infosec. Not only do I not have a degree in computing, I also do not have any CVEs.” Bingo, that’s the inspiration I needed. 

As an industry, we’ve bemoaned the so-called skills gap for as long as I can remember. I’ve lost count of the number of times infosec professionals have told me that finding, hiring and retaining talent are amongst their biggest challenges.

We often blame the people outside of our industry for this. We question why they don’t want to work in cybersecurity. We talk about how they perceive the industry to be ‘too geeky,’ ‘too techy,’ or not diverse enough. We question how we market information security as a place to work and consider what might be putting people off. Is it the language we use? Is it the imagery or colors? Perhaps it’s the way the industry is portrayed in the media? I’ve heard all of the musings – I’ve often written about them.

We question whether it’s too stressful as a career and whether the pressure we put on our CISOs and other industry professionals is a barrier to the industry’s desirability. Are the hours too long, is the work-life balance (or lack thereof) unattractive? Perhaps it’s about a lack of defined career paths or the inability to communicate them?

I’m aware I’m asking a lot of (rhetorical) questions. Bear with me, I’m a journalist, questions are what I do.

Ultimately, all of the aforementioned concerns are founded, but I do wonder whether the answer to solving the skills crisis lies more in introspection.

“This is me arguing for a more open-minded, more inclusive recruitment strategy for the industry”

There has been no shortage of discussion around how we tackle, and challenge, the diversity problem. Whilst this has predominantly taken the form of dialogue around gender, there has been a heightened focus on ethnicity, neuro and disability diversity. Infosecurity is committed to reporting on, and supporting, diversity conversations and initiatives.

Brian’s tweet highlights another issue, which is absolutely a contributing factor in our skills gap. Maybe the answer is looking at our own hiring practices and the – perhaps unreasonable and unnecessary – demands that we are applying when screening applicants. Brian specifically mentions a degree-level education and the discovery of CVEs, but these are only some of the demands hiring managers are making.

The CVE point struck a chord with Brian’s connections. “There are about 128,000 CVEs listed on http://mitre.org. Even at one per person that leaves us with a helluva skills gap!!!”(sic) replied @ChrisInfosec. Many other commenters wrote sarcastic affirmations that, they too, believe hiring managers in the sector are way too demanding. 

Reducing – or even dropping completely – the requirement for formal education in specific topics, certifications or vulnerability discovery accolades may just open our eyes to a talent pool much greater. Before the cynics amongst you mutter anything like “Beggars can’t be choosers” or “We’re desperate, we need to be less picky,” that’s not the spirit in which this is intended. Nor is it true.

It’s not about lowering our standards, it’s about viewing excellence differently. How would academic acumen stand up against legitimate aptitude and passion? If I was hiring, I know what I’d prioritize. Clue: it doesn’t cost anything and no dissertations would need to be written.

In the 14 years I’ve spent writing about information security, I’ve interviewed hundreds, if not thousands, of information security professionals. Of those, I can honestly say that about 40-50 of them have stood out to me as being exceptional. Exceptional at their jobs, exceptionally passionate about the cause and exceptionally loyal to the industry. I can think of only one or two of this group that had a formal education in the discipline. Almost without exception, they each regaled me with tales of how they “fell into the industry by accident,” of how their passion grew organically or by coincidence. Not a single one credited a degree, a certificate or a CVE for their career or personal accolades.

This isn’t me belittling the value of formal education, of CVE discovery or of industry certification. There’s a lot to be said for all of them. Instead, this is me arguing for a more open-minded, more inclusive recruitment strategy for the industry generally. If we don’t drop the barriers and open our minds, we’ve no-one to blame but ourselves when reading through the latest depressing skills shortage statistics.

I’ll end this editorial as I began it, with Brian’s words: “There is a gatekeeping mentality by some within the cybersecurity community to exclude people from entering the industry unless they meet specific criteria...as someone who does not have a formal third level education, nor any credits relating to any CVEs, I do find this gatekeeping mentality to be elitist and offensive and, to be frank, it has no place in today’s industry.” Well said, Mr Honan.

What’s Hot on Infosecurity Magazine?