The Never Ending (Security) Story
Do You Know 2.5 People Who Would Be Good for Security?
One of the biggest challenges I have, when working in Security, is that the job is NEVER. EVER. FINISHED. Every day there is the same stuff, there is new stuff, but there is always STUFF.
Now, if I was a glass half full kind of person, I would happily remind you that, because there is so much stuff, there is job security. There are loads of opportunities for improvement. There are so many new and wonderful vectors of attack and defense that the job always has variety. There are so many people wanting to get into the industry that you meet new people every day, which is exciting. You can do your job in any location, in any industry, at any time of day or night, and you would never run out of stuff to do. Yay!
There’s just one problem — I’m a goal driven person. My sense of accomplishment comes from, well, accomplishing something. And, in this Security environment, where the purpose is to defend, and the threats are many, the goal posts keep moving. I can count my victories in ten yard increments, but those ten yards just get me ten yards closer to something that just moved ten yards further away.
Now, I know, that when I look at all the things we have accomplished as a team, and as an industry, we have come a LONG WAY. Looking backwards, I can see the distance we’ve traveled. I can see that we have the attention of the boardroom, of the VC investors, of the politicians. I can see that the industry is hot, hot, hot. I can see the cyber security degrees, and the career counselors advising high school kids to consider a career in cyber security. I can see the growth of diverse representation in the industry. I can see some companies really doing a great job in defense.
But it’s not good enough.
The truth is, I want a cure. I want the cyber equivalent of a polio vaccine, that can wipe out the insecure hardware, the buggy software, the ignorance of the cyber anti-vaxxers. I want to live in a world where my Kid can share pictures and texts and purchasing information without being worried it will come back to haunt them. I want folks to be able to trust that when they get an email from the boss, it’s really from the boss. I want to be able to have a job that doesn’t require me to wear a tinfoil hat, and run around reminding people that Bad Things Can Happen, and can they please just slow down and think about that for a second?
Unfortunately, this problem is too big, and this isn’t a problem I am capable of solving on my own. Or even with my own team, or at my own company. No, this is a cultural/societal issue, and just like all issues of this kind, the solution to the problem is multi-faceted and complex. So, if we’re going to fix it, we’re going to need a lot of people who will bring their diverse selves to the problem.
I’ve always believed that the whole is greater than the sum of the parts, at least when it comes to people. So, if we’re going to find a “cure” for cyber security, and that’s a problem too big for one person to solve, the only path forward that I can see is for us to bring more people into the team. My theory is that someone we bring in will find the beginning of the ball of spaghetti, and will start the process which will result in the outcome we all want.
Really, Helen? (I hear you say). Have you heard about the shortage in the cyber workforce? Well yes, yes I have. But here’s the thing. According to those numbers, in the US we have 716,000 cyber professionals as of January 2019, and we’re projected to have a 1.8 million shortfall by 2022. The numbers are similar in other countries. That means that, if each of us find 2.5 people to add to the cyber workforce in the next 2 years, we can close the gap. Only 2.5? How hard can that be? And, let’s say we double it to 5 new people for every existing security person. What might those people do to help us solve the problem?
The good news, for me, is that I work in Higher Education. What better place to put focus on bringing more people to cyber security? What better place to train MBA students on the importance of cyber, and how to make room in their budgets to hire cyber professionals? Where else can I influence the training of K-12 teachers, so they can introduce high schoolers (and middle schoolers) to the joys of cyber security?
The good news, for everyone else, is that this work is already in progress. Not just in high schools and community colleges and universities. Also in boot camps and technical programs and free online education sites. Professional security organizations are sponsoring and training and connecting new people. Governments are writing policies encouraging investment in cyber workforce development. Companies are training new people, at the start of their careers and reskilling in the middle of their careers.
We don’t have to start from scratch. We just have to name the goal, and work intentionally towards it. And if I know anything about the security community, I know we are smart, and tenacious, and creative, and will get this done.
We (I) have to stop measuring progress in ten yard increments. This Security thing is, for now, a never ending story, but there is the possibility of ending the cycle by bringing more people (more diverse people) to find solutions to the problems. And that is an accomplishment that is easy to do, easy to measure. It’s a long game, no doubt, but one we can surely win.
May it be so.
September 2019
