Yes…that’s me and my wife, hanging out with Jeordi LaForge (LeVar Burton), Dr. Beverly Crusher (Gates McFadden), and Mr. Data (Brent Spiner). Trek yourself before you wreck yourself.
In The War of Art, Steven Pressfield says that the difference between an amateur and a professional is that the professional has a plan. According to CSO Online, there will be 1.5 million jobs in cybersecurity that will be waiting to be filled by 2019. I haven’t seen a plan to fill those jobs. I think as CISOs, we should be the ones to come up with a plan to change this, or else someone else is going to come up with a plan… and we might not like it.
There are a lot of things that are outside of our control. But let’s look at some of the things that are.
Unlike the EU, security laws in the United States are all narrowly tailored to each industry vertical. There are a lot of pros and cons for each approach. But one disadvantage of the security laws in the US is rarely discussed: its’ impact on the workforce.
According to the Bureau of Labor, consultants, banking, healthcare, defense, and government are all the biggest employers in cybersecurity. When you look at job postings you see that for security positions, businesses want not just 5 or 10 years experience, but they want 5 or 10 years experience in their industry. This does several things. It means that employees who are in banking or healthcare have an incentive to stay in banking or healthcare. It also means that they have a disincentive for leaving those verticals.
I think the long-term consequence of this is that although there is a job gap of several million jobs, that gap will be especially challenging in verticals that aren’t as big as banking, for example. If you are just starting out in your career, will you want to start out in an industry like Higher Ed knowing that while you might get all the same certifications as someone in a different industry, you’ll never get the job?
As a community we need to recognize this is dividing up a small pond to be even smaller.
I’m guilty of this as well. It does help to know the ins and outs of your environment to help get a running start…but aren’t security best practices the same? For someone’s daily tasks, do they need to be an expert on a particular compliance or regulation? Or can we instead focus on building up a generation of generalists.
We need a plan:
- Don’t require experience in your industry or vertical. Not only will this open up the candidate pool for you, it will bring in candidates with diverse experiences that can help transform your program. I’ve brought in folks from defense, government, and the financial sectors and those diverse experiences have shaped how we approach our program.
- Get rid of the requirements for CISSP or degrees. After I did this a couple years ago, the pool of candidates that I was getting for job postings went from security guards or kids just out of college to folks with a decade or more of experience who wanted to finish their bachelor’s degree. Many candidates were willing to take a pay cut in order to be a part of an organization willing to invest in them.
- Part of that plan should be to allow for more entry-level positions and recruit from outside Cybersecurity. Why not find people inside your company that already understand the business and deputize them?
- Particularly in the area of security awareness, there’s been a complaint that security teams don’t have staff with background marketing and that inhibits our ability to effectively coach our staff. Why not create a security communications team to revolutionize your awareness training.