Subscribe for updates.

© 2020 Philip Venables.  

  • Grey Twitter Icon
  • Phil Venables

Cybersecurity Workforce Development

It is still somewhat frustrating that most of the dialog about the skills shortage in cybersecurity focuses, perhaps inevitably, on the all too simple answer of "let's create more cybersecurity professionals". This is usually coupled with (often unsubstantiated) claims that there are millions of open cybersecurity positions. The answer, thus, becomes fixated on how do we create all those cybersecurity people - whatever a "cybersecurity person" is.

So, we call for more K-12 education programs, more University programs, more certificates etc. Now, I'm not denigrating these efforts and those involved (including me!) - they are laudable goals and do produce useful outcomes. But, sadly, risk missing the wider point. Just as we talk about the need for secure products, not just security products, we also have to shift our perspective on people and say: we need the people we already have to be more productive - and we need more security minded people not just more security people. So what to do:

  1. Cyber-workforce productivity. If we need 10x more cybersecurity people to fill all those roles, perhaps if we could 10x the productivity of the people we have then that should significantly address the issue. Productivity isn't just about automation/orchestration - it can also be stopping doing things, aligning control mitigation practices across different IT risks, auto-configuring, embedding testing, and ensuring the right people do the right jobs matched to the right skills.

  2. Embedding security responsibility in other teams. The old cliche is true, security is everyone’s responsibility like other attributes of good systems - it's important to talk about this not as a throwaway line but actually hand off that responsibility/accountability. Hand-off into SRE, DevOps, development and other teams and support them by developing tools and process to make this happen - to disaggregate responsibility and actions according to criticality and expertise required.

  3. Embedding security training in other education programs. As others have said, we need more security education in Computer Science and other engineering degrees and more coverage in MBA and other programs - not just security, but also quality/testing/measurement.

  4. Cybersecurity is not the only technology/business risk. There are many other substantial risks and actual losses caused by software errors, availability and capacity issues, and so on. Developing cyber-controls in a silo misses productivity/effectiveness opportunity.

Let's finish off with an analogy: the medical profession [when it works well]. Not everyone who wants to improve people’s health and well-being wants to or has to be a Doctor to be effective. There are many roles requiring different skills, training and experience from (to name a few) nurse practitioners, radiologists, administrators, medical technicians, therapists, general practitioners, highly specialized surgeons through to medical research scientists. The system (not to say this also can’t be improved significantly), is designed such that the right person with the right skills sees the patient at the right point in time - no more no less - optimized around the scarce resources.

Perhaps we should be aiming for something similar, different roles with different training requirements corresponding to the needs of that role, stacking the training so people can progress over time - but not "dismissing" them if they don’t want to progress further. Making sure all the components of the system deliver the right outcome and progressively increase the productivity of each element through training, automation/tooling, adoption of new solutions and practices from research underpinned with codes of ethics/practice.