Credit: Hochgeladen von Colin, CC-BY-SA 4.0, via Wikipedia
Everyone seems to think that there’s a lack of qualified security professionals, and that the reason is that there aren’t enough people entering the field with the required skills. There is a fallacy behind that thinking, though. People think that security is a stand-alone discipline, but it is actually a discipline within the computer field. Treating it otherwise is a mistake.
Most of the people who have been in the security profession for more than a decade, including me, entered the field without a cybersecurity degree. We might have certifications, but we don’t claim that those certs are the source of any expertise we may have.
My own experience is not atypical. In all of my years of working, as an employee or contractor, for the National Security Agency and other military and intelligence agencies, I never performed specifically what would be considered security work.
In fact, I didn’t even start out in the computer field at the NSA. I was an intelligence analyst who hated his job, so I applied to the computer systems intern program. In those days the NSA couldn’t find enough computer experts, and so it created a program to identify people with high aptitude for computers and trained them. Although I later became known for security expertise in the private sector, I was never given any security-specific training. Instead, I had years of on-the-job and formal training in good technical and operational practices. My later success in penetration testing was mostly built on detecting the absence of good practices, not formal training in how to hack systems or perform social engineering; I never had to used any advanced skills, given the woefully poor security I encountered. In other words, it was nothing like what happens in cybersecurity programs.
Of course, the NSA does have people whose work focuses on security, and like me, they moved into that area after learning about things like operations or networks; they didn’t start out in “security,” unless it was as at an entry level and under the tutelage of a senior person.
The NSA isn’t alone in taking this approach. Other intelligence and military agencies, government contractors, the large banks and other leaders in implementing strong security programs focus on identifying people with the appropriate aptitude and related skills, then give them the formal and on-the-job training to competently fill security-related roles.
There’s a similar dynamic in every profession. We don’t hear about engineering firms bemoaning a lack of people with degrees in bridge engineering, or architectural firms complaining about a dearth of graduates with degrees in skyscraper architecture. The military doesn’t cry out that it can’t find recruits who are already trained in combat. Why, then, do so many government agencies and private-sector enterprises bemoan a lack of cybersecurity professionals? Here’s what makes me crazy about this: It does more harm than good to insist on more people coming to them with cybersecurity degrees; those degree holders are just never going to be as knowledgeable and competent as the security-focused professionals that organizations can grow themselves.
Sign up for Computerworld eNewsletters.