Cybersecurity Workforce Development - Updated
It is still somewhat frustrating that most of the dialog about the skills shortage in cybersecurity focuses, perhaps inevitably, on the all too simple answer of "let's create more cybersecurity professionals". This is usually coupled with (often unsubstantiated) claims that there are millions of open cybersecurity positions. The answer, thus, becomes fixated on how do we create all those cybersecurity people - whatever a "cybersecurity person" is.
So, we call for more K-12 education programs, more University programs, more certificates etc. Now, I'm not denigrating these efforts and those involved (including me!) - they are laudable goals and do produce useful outcomes. But, sadly, risk missing the wider point.
Just as we talk about the need for secure products, not just security products, we also have to shift our perspective on people and say: we need the people we already have to be more productive - and we need more security minded people not just more security people. So what to do:
Cyber-workforce productivity. If we need 10x more cybersecurity people to fill all those roles, perhaps if we could 10x the productivity of the people we have then that should significantly address the issue. Productivity isn't just about automation / orchestration - it can also be stopping doing things, aligning control mitigation practices across different IT risks, auto-configuring, embedding testing, auto-generating tests from threat models, and ensuring the right people do the right jobs matched to the right skills. This isn't just a technology issue, there's just as much efficiency gains to be had from "business policy as code" as there is from "infrastructure as code".
Embedding security responsibility in other teams. The old cliche is true, security is everyone’s responsibility. Like other attributes of good systems it's important to talk about this not as a throwaway line but to actually hand off that responsibility and accountability. Hand-off into SRE, DevOps, development and other teams and support them by developing tools and process to make this happen - to disaggregate responsibility and actions according to criticality and expertise required. Use simulation and scenario/war-gaming to continuously build muscle memory for managing risks and crises across the organization.
Embedding security training in other education programs. As others have said, we need more security education in Computer Science and other engineering degrees and more coverage in MBA and other programs - not just security, but also quality/testing/measurement. This also includes embedding more security topics in the other training and professional skills development efforts in our enterprises. Perhaps a better investment of people's time would be to get the security training at point of most need in the context of their job rather than people being brought to the security training: bring the training to the people not the people to the training.
Cybersecurity is not the only technology/business risk. There are many other substantial risks and actual losses caused by software errors, availability and capacity issues, and so on. Developing cyber-controls in a silo misses extensive productivity and effectiveness opportunities.
Discover latent talent. Find talented people who may have security knowledge, or innate skills, by making available gamified training regimes across the enterprise. Some of people who work their way up the leaderboards in tools like Immersive Labs, from help desks, development or other engineering teams might be your next best core cybersecurity team members.
Let's finish off with an analogy: the medical profession [when it works well]. Not everyone who wants to improve people’s health and well-being wants to or has to be a Doctor to be effective. There are many roles requiring different skills, training and experience from (to name a few) nurse practitioners, radiologists, administrators, medical technicians, therapists, general practitioners, highly specialized surgeons through to medical research scientists. The system (not to say this also can’t be improved significantly), is designed such that the right person with the right skills sees the patient at the right point in time - no more no less - optimized around the scarce resources. When we talk of improving health care outcomes we don't solely obsess on creating more Doctors - we look at the whole system. Perhaps we should be aiming for something similar, different roles with different training requirements corresponding to the needs of that role, stacking the training so people can progress over time - but not "dismissing" them if they don’t want to progress further. Making sure all the components of the system deliver the right outcome and progressively increase the productivity of each element through training, automation/tooling, adoption of new solutions and practices from research underpinned with codes of ethics / practice.
Bottom line: to address the cybersecurity skills gap we shouldn't solely focus on creating more cybersecurity professionals. Rather, we need to create more security minded people in all roles and radically increase the productivity of the cybersecurity professionals we already have - for our team's sanity as well as efficiency.