We have serendipity to thank for most information security professionals.
Rarely do I interview or talk to anyone in this industry who tells me that this is the career path they actively, and determinedly, pursued. Instead, I hear recurring tales of how people have “fallen into it by accident", and these fortuitous infosec pros are almost always delighted that this was their accidental vocation.
Whilst serendipity has been on our side to date, it's simply not good enough that we are relying on this as a means to staffing our profession. Nor is it even an option as we stand on the brink of a skills gap crisis that threatens to put the white hats well and truly on the losing side, as under-resourcing and lack of talent threatens the security of our data, our money, our businesses and our privacy.
Imagine an infosec world without the James Lynes, or the Charlie Millers, or the Neira Jones’. It’s unfathomable, right? Yet, this would be a reality if it wasn’t for serendipity. James Lyne didn’t go to university. Charlie Miller studied Mathematics. Neira Jones wanted a career in finance. Without being in the right place at the right time, these industry stars would have been swallowed up by other industries. Whilst it makes for a great tale of fate, it’s really not OK.
The career paths into information security are currently undefined, unpromoted and far too rigid. As the saying goes, beggars can’t be choosers, yet despite projections that the world will face a shortfall of 1.8 million cybersecurity workers by 2022 (statistic taken from the (ISC)2 workforce study), employers are still demanding unrealistic years of experience or specialized further education, thus excluding and alienating a huge potential pool of talent.
The good news is that there is growing recognition from industry that this is unsustainable and needs to change. The Cyber Retraining Academy is an HM Government program delivered in partnership with SANS. “The remit for applicants is to have no cyber experience, and show an aptitude for cyber” Stephen Jones, managing director of the SANS Institute, told me, but that’s where the requirements end. “Absolutely anyone can apply.” The 2017 Academy’s 55 students included a bartender, a professional gamer, a journalist, a psychiatrist and police officers.
After a 10-week intense program, graduates have the skills to be deployed into industry in entry-level information security roles. The Academy has many industry partners waiting in the wings to snap up the talent. I visited the industry day organized half way through the course. The career fair style event connected the students with industry partners, with many offering hacking games to assess students’ talent.
I spoke to representatives from a few of the supporting companies, including Huawei and the National Crime Agency about what they were looking for from the Academy.
They all admitted a struggle with hiring talent and saw the Cyber Retraining Academy as a great opportunity to recruit. For Huawei, lack of specific further education or industry experience pales in comparison with natural talent and passion. Academy applicants take aptitude tests to “assess whether their brains work in the right way.” In other words, it’s doing what the rest of the industry should be: discarding experience and education in favor of natural talent, mindset and willing.
The stats speak for themselves: upon graduation, all students got jobs, and every industry supporter of the inaugural Academy came back this year for its second helping of talent. “The guy we recruited from the first Academy is absolutely phenomenal”, said a Huawei rep.
We certainly shouldn’t dismiss the importance of formal and specialist education. A degree in computer science isn’t going to be in vain – there will always be a huge appetite for specialist graduates. They alone will not fill the talent pipeline though, and nor should they.
Industry needs to open its eyes and mind to alternative talent, the people who code for fun, who look for exploits as a hobby, the people like James Lyne – our profile interviewee – who live and breathe cybersecurity despite never having stepped into a cybersecurity classroom (unless it’s one he is teaching).
It’s about changing the view of what a good cybersecurity professional looks like. Look for the skills and qualities that can’t be learnt in the classroom. You can’t teach passion, you can’t teach aptitude. Employers would be wise to take a chance on these qualities and then invest in the people, adding formal training as and when necessary.
At present, information security is an industry with many closed doors and the paths leading to those doors are ambiguous. Given the skills gap we face, this is catastrophic.
The Cyber Retraining Academy is a great start, but funding is limited and with the current scale, it’s going to make a tiny (but wonderful) dent in a huge problem. Industry needs to rally to support and fund similar initiatives, opening doors and investing in talent, not certificates. Recruiters can practice this same methodology within their own organizations and reap the rewards.
For now, let’s celebrate the accidental infosec pros who found their way into the industry by accident but continue to light it up every day. Thank-you, serendipity.