The security industry must rebuild its narrative to attract more raw talent at all levels
You don’t have to go far these days to find security professionals complaining about skills shortages, and countless media outlets relaying their views.
But there are at least two sides to this argument and the situation requires a more balanced approach.
There is no doubt – first of all – that the cyber security industry still has an image problem. It often carries a dated tech-heavy narrative and ends up being perceived as an obscure and complex technical niche, something reserved to nerds and geeks: When the excellent ladies of the CEFCYS in Paris published their first guide to the cyber security professions earlier this year, they titled it “I don’t wear a hoodie, yet I work in cyber security”… (“Je ne porte pas de sweat à capuche, pourtant je travaille dans la cybersécurité”)
In fact, the security industry has never managed to make itself attractive and in turn, the lack of awareness around the diversity of security roles breeds a lack of relevant training courses and educational opportunities.
The absence of clear security career paths is also a real problem at all levels when it comes to attract new talent: What do you do once you have been a security analyst in a SOC for a few years? (or a CISO for that matter?) … you should not have to be condemned to hopping across to similar roles all the times, but credible alternative role models are cruelly missing: How many CISOs have actually become CIO? or COO, or CRO?
However, this is rarely what people refer to when they talk about the “cyber security skills gap” …
They often refer to problems in staffing large security initiatives or security operations centres, and here the so-called skills gap is often a fig leaf hiding different problems.
Many security leaders – in particular in large organisations – are stuck with legacy operational processes – around identity management, security monitoring, incident handling or threat intelligence – which are mostly manual, labour-intensive, repetitive and built around countless tools (20 on average according to a recent Cisco report). Attracting – and retaining – young professionals in such jobs can indeed be hard – even harder in absence of clear career paths and role models as we highlighted above.
Also many large organisations, faced with large scale maturity problems and urgent security transformation challenges, are trying – unrealistically – to fix all their problems at the same time. But building a monstrous programme of work requiring in theory tens of additional FTEs, and ignoring all dependencies between tasks and cultural aspects, is not how you change things. You would struggle to staff it in any specialised industry – and to deliver it. This is just bad planning, and it is fuelled by the tech industry and large consultancies.
So does all this reflect a real shortage of skills? or a shortage of appetite from the leadership to tackle the re-engineering of legacy security processes, to make them attractive and better suited to the expectations of a younger workforce? or is the alleged shortage of skills simply an excuse to hide poor management and the greed of the security ecosystem?
Ultimately, all those aspects are just the different sides of the same problem: To attract more raw talent into the security industry (at all levels, security management included), you have to make it more attractive, in a credible and meaningful way – at all levels.
To help with that at analyst level, the leadership should focus on decluttering the cyber security estates and automating processes intelligently to allow a smaller number of analysts to work more efficiently, creating a more stimulating – and less boring – environment for them.
At middle and senior level, the focus should be on building role models and career paths, showcasing real, meaningful and credible bridges across cyber security roles and other roles, at least across the broader GRC spectrum, but ideally across the entire management spectrum. Looking beyond tech is absolutely key in that space. There is no reason why a CISO would not come from a business role.
Professional bodies and industry bodies have a role to play here to rebuild that narrative and help the security industry become more attractive and move forward.