There is no denying the large number of vacant full-time positions to be filled in the cybersecurity workspace. The numbers range from 3.5 to 4.7 million globally. As most CISOs will attest, the talent pool has never been tighter, and the squeeze will only continue. Necessity is the mother of invention, so this critical need requires different thinking about who can contribute to security teams’ successes.
For some, the answer is surrender. They simply accept they are resource constrained, keep the executive staff informed of the risks they are assuming due to lack of resources, and call it a day. This is not the path I’d advise, as it is almost certainly a step toward the self-fulfilling prophecy of the alternate CISO acronym, “career is so over.”
For others, this is an opportunity to create new pathways to success for their teams and the individuals who are afforded opportunity. Here are some ideas about what those pathways might look like.
Make entry-level cybersecurity jobs just that
During the recent RSA conference, I asked Curtis Simpson, Armis CSO, about the complexity of the tools being brought to market and the learning curve needed to be a contributing member of a team. He sees a high school graduate, maybe with some community college classes and “critical thinking skills” as having what they need to know to fill an entry-level cybersecurity position and be operational within days. The key, he says, is in removing the complexity of the systems being used.
HPE’s CSO Bobby Ford shared with me some perspective as to how he believes, “entry level, should mean just that – an entrance into the field or role. I feel very strongly that you’re overlooking potentially tremendous talent if a particular skill set is used as a barrier to entry. My approach to cultivating talent is drawn from my experience in the military. I’m looking for people who have an interest in the subject matter. We can teach the skills to anyone willing to learn.”
Ford gets no argument from me as one who has spent a good part of his professional career developing vocational instruction for a rather unique skill set of the intelligence officer. Early in my professional career I was also the benefactor of the “take someone with interest” way of thinking Ford describes. I was a 20-year-old file clerk whose claim to fame was he knew A-Z and 0-9. I was given the opportunity to learn a skill as a “telecommunications specialist.” The CIA was experiencing a shortage of radio-qualified operators who knew Morse code, Radio Teletype (RTTY), and how to use encryption methodologies (one-time-pad, one-time-tape, and a variety of devices). This was almost a half-century ago, but the lesson remains valid.
