Developing the Cyber Workforce

As the Chief Information Security Officer of a large public research university in the United States, I am often asked to share my thoughts about cyber workforce development. I have no idea why, because being a CISO of a large public research university doesn’t qualify me to talk about this subject, anymore than being a CISO in any other industry; but hey, who am I to turn down the opportunity to chat about one of my favorite subjects?

At Security conferences and other meetings of Security Minds, it is a common lament that there isn’t enough Security talent available, or that we lose our best talent to the highest bidders, or that the folks with the most experience are really close to retirement and that’s only going to make things worse, and let’s not forget about the lack of diversity in our ranks. So my peers want to know where they can find more talent, what the education system is doing to address the skills gap, why don’t more people want to work in Security, etc., etc., etc.

The shortage of cyber talent is a multi headed problem without a single solution. It won’t be solved by the best of intentions by Security professionals, or the best programming by the education industry. Like all complicated issues, there will be a variety of opportunities to address one piece of the puzzle, and those pieces will need to fit together to solve the overall problem. The pieces can be big (society-wide), or small (organizational processes), and none of them are simple. Some pieces are already created (certifications), some are being created as you read this (K-12 teacher training), and some are a dream yet to be fulfilled (no gender bias in computing). Some, I’m sure, haven’t even been dreamed of yet.

The good news is that anyone concerned about the growth of the cyber workforce has a plethora of places to engage, to add immediate and long term value, and to make a difference in society. Who doesn’t want that?

Higher Education

Think Community Colleges, Undergraduate and Graduate programs, and the like. As someone who has created a higher education cyber curriculum and class, I want you to know that, professionally speaking, the Information Security community is NOT HELPING. Get a bunch of CISOs in a room and ask them what skills they want students to learn and they give some vague answer like “programming skills” or “communications skills” or “writing skills”. Guess what — educators have been teaching these things for DECADES. Without calling it “Cyber Security”.

Oh, you want CYBER Skills? What, exactly, are those? Basic networking? How to spot cross-site scripting? Malware reengineering? Understanding encryption algorithms? Authentication systems? ICS/SCADA? Risk Management? Training and Awareness? Security is not One Thing, any more than “Business” is One Thing, or “History” is One Thing, and yet we expect a Computer Science department to produce well-rounded cyber professionals using a degree called “Cyber”? There are not enough available credit hours in a year for this.

Don’t get me wrong, there is a ton of great stuff already happening at the micro level in Higher Ed. There are classes available, in person and online, covering a host of cyber topics. If you want to be a cyber academic, there are a ton of Bachelor’s/Master’s/Doctorate opportunities for you. Community Colleges are kicking it with terrific skills-based cyber curriculum, and all these colleges and universities are willing to partner with companies to customize programs to meet need. (Want to know more about partnering with higher ed? Call your nearest institution — I guarantee they’ll get back to you).

At a macro-level, the higher education community needs the Security community to get its professional act together. We need to mature a common set of functions and practices (a professional cyber cannon, perhaps?) that we can all agree are permanent pieces of security (Quick Question: Identity Management — Security? Infrastructure? Business Operations? If you don’t know, Higher Ed won’t know either).

Security needs to encourage cyber academics to make Security it’s own college and discipline, not a subset of Engineering or Computer Science or Business or Anything Else. Cyber Security is more like Medicine, Law and other professional colleges, and should be treated as such. The Security industry needs to work with Academia to make this happen.

Internships, Co-Ops and Other OTJ Training

Mathematically, Higher Education cannot train the people needed to fill the gap in the Cyber workforce fast enough. This means the Security profession must create training opportunities to bring people into the profession without a formal education. Let’s face it, most of the people currently in the profession don’t have a formal Cyber education, so this shouldn’t be a big deal, right?

Well, apparently it is, because the leaders of Security teams haven’t had training on how to create an internship program, and the supporting HR structure hasn’t had training on how to do Cyber, and so no one in the company can pull it all together.

So here are some tips:

1. Pay people. If you want to get people to move from their current job to your team, you need to pay them a living wage while they learn how to Cyber. And, pay extra to the people who are training the people how to Cyber, because those managers and team leads and team members are doing extra to bring up the talent, and should be recognized for the work.
2. Have a training plan. Don’t bring new people in, even senior people, and just let them lose. Learning Cyber takes time — a lot of time — so you need to have a training plan so that everyone knows what needs to be learned before they are legitimately a Security Pro. This applies to an intern who is still in college or an intern who is a mid-career re-skilling trainee.
3. The more other-job experience a trainee has, the longer your internship needs to be. In other words, it’s OK to do a 12 week summer internship with a college student. If you are cross training someone with five years of [insert other job here] experience, you should expect your training program to be at least a year. This isn’t because they’re older, but because they will bring their own skills to the training, and part of their learning curve is how to translate what they already know to the new paradigm. They will want to go deeper, because they know deeper exists. They will need more stretch in their assignments to feel like they’re learning something.
4. Connect interns to the Security Community. I know you’re training them on the job, but part of being an effective Security person is knowing where to get help — inside and outside your company — and that means building a network of Security friends. So send them to external training, send them to conferences, give them training resources outside your own organization (your team will thank you too). Give them access to Twitter, Reddit, GitHub and other online communities while they’re on the job.
5. Within your company, create Security Internship Cohorts. Make it a badge of honor to be part of this program, and treat graduates of the program like Alumni that are regularly brought back for social events — even if they leave to work elsewhere.
6. Treat your trainees/interns with professional respect. This means to give them tasks and projects geared to their level of experience, which stretches their skills and gives them a way to demonstrate competence. Don’t just give them low value work because you won’t take a risk on them.
7. Ask your interns what they want. When I asked my undergrad interns what they wanted to learn, they wanted all the Cyber stuff, and they also wanted to know how to write a cyber resume, and do a cyber interview. Part of being a Security Pro is knowing how the entire ecosystem works — let your interns tell you what they need, and adjust accordingly. Ask them often — their pace of learning might surprise you.
8. Look broadly for internship and trainee candidates (and employees). Folks who complain about the lack of talent are ignoring the wealth of talent out there, or are not willing to pay to move the talent where it needs to go, or to allow for remote working so they can meet talent where it already is. If you’re looking in all the usual places, you’re missing out. Use your social networks to find candidates. Look for groups like Year-Up or other training programs to bring on fresh faces. Look for adjacent professions to bring on mid-career trainees.

BTW, a lot of these things apply to your existing Security staff, and will help them to want to stay in your organization, even if you aren’t paying the highest in the market.

There are other parts to workforce development that I’ll discuss in a later post — vendors who are willing to train people for free, industry collaborations for targeted workforce development, and of course all the private companies offering training. These options are terrific, and deserve their own post.

In the meantime, consider that workforce development is now a part of your job, and the job of every member of your security team. Give thought to how you will organize your time to attend to this strategic issue. Give thought to who your partners are to make this work. Give thought to what training you need, in order to attend to this issue.

Once you’re done thinking, act. We can’t wait.