There’s a new problem arising within the cybersecurity industry: a labor shortage. These days, a potential cybersecurity engineer is required to have certification upon certification, as well as years of experience. This has created a gap in the workforce because of a lack of qualification. Or has it?
ICS Pulse: Is there really a cybersecurity skills gap out there?
Sam May: Yes and no. I have seen company, after company, after company not understand the cybersecurity requirements and space, or have crazily high requirements as far as skills and years in service and stuff like that, that don’t match pay. If you’re requiring a whole bunch of certifications, a whole bunch of years of experience, a whole bunch of degrees and a whole bunch of skills, and you’re not paying something like $200,000 a year for this person, you’re bananas. You have to choose which of these you want. Most cyber positions don’t require a ton of experience and training. Maybe the government’s most premier offensive cyber unit is run by none other than the United States Marine Corps.
I can tell you right now that the kids who are going into MARFORCYBER are not coming from huge banks of certifications out there. They’re coming through Marine Corps bootcamp and going to their MARFORCYBER and getting trained. They’re going along the way to their A schools and C schools and getting training as they go to their advanced individual training. The Marine Corps says, “We can take a Marine in, we can train them to be a rifleman and then we can train them to be a cybersecurity person. Then, we can put them over here and put them to work.” Why can’t industry do that? If Marines can take a rifleman and turn them into a cybersecurity professional, why can’t private industry take someone who’s excited off their floor and turn them into a cybersecurity person that they need? There’s an industrywide almost fear of taking people and building the employee you need. They’ll do it in almost any other portion of the company.
Anywhere else, they’ll take a person with very little training and turn them into a computer numeric control (CNC) operator or turn them into a marketing specialist. There’s an introductory role for just about anyone. Then, it comes to cyber, and suddenly you need this amazing unicorn who can do a thousand-million different things. There is a wonderful lack of sophistication when it comes to what cybersecurity is and the type of people that need to do it. The difference between cybersecurity and information technology (IT) is IT is all about keeping the blinking boxes blinking and keeping the printers printing and keeping the end users using their computers. Cybersecurity is about two things: monitoring systems for anomalous behavior and enforcing policy. With cybersecurity analysts, their job isn’t to write policy — that’s a manager’s job — it’s to enforce policy.
People don’t like to have rules enforced on them. From the very beginning, it’s an adversarial position at most companies. Then, companies don’t really know what they want. They say they have a skills gap, but tell me what the skills are that you want. What exactly is it that the company or the industry wants these people to do? Do they want them to just sit in a room all day and stare at logs for hours and hours on end? Just to look at syslog and event logs just for hours and hours and hours and then wonder why people leave that community, why people don’t want to do it. There’s no standardized promotion. There’s no community to grow into. What’s the glide slope for promotion from entry level security operations center (SOC) analyst to a CISO? What does it look like? Nobody can answer that question. The industry is new. Cybersecurity is new. I mean, you can look at almost any other position, in almost any industry, and there is a general glide slope from entry level to the C-suite.
You can look at anything from marketing and sales, to operations, to whatever else, and you can say, “OK, you start on the floor. You move your way up to position, to position, to position. Then, if you work hard and stay out of trouble and take increasing roles and responsibility and whatnot, eventually you have a shot at mid-level management and then senior management and executive management.” You talk to a kid who’s on the SOC, how does a kid in the SOC become CISO? Then you look at the CISOs out there and you ask them, “What was your career chain?” They look back and there’s an MBA involved. I mean, I have an MBA. It’s never helped me in cybersecurity once. It’s just a muddled environment.
One of the most telling things is that, if you go on to where obviously I get all my news from, Reddit, and you go onto the cybersecurity subReddit and you look at experience after experience after experience of kids coming out of college, coming out of bachelor’s, master’s programs and unable to find a job, sitting in interviews where people berate them and bully them and make them feel stupid and worthless because they don’t know something. The kid who’s in front of you should be being motivated to excel at your company. That’s really where it is. You have human resources and hiring managers out there saying things like, “For this introductory role, you need to have a CISSP,” an utterly worthless certification. To do this job? For what? The CISSP certification is built as being an inch deep and a mile wide.
All these companies out there that are saying, “We still have all these critical failures,” are the same ones who are creating the problem to begin with. There are loads of people, hundreds, thousands, millions standing in line for the jobs, and no one will hire them. No, there’s not a labor gap at all. There’s a cybersecurity skills gap because industry refuses to put them into practice and take the risk that maybe one of them will screw up. IT people screw up all the time. As a matter of fact, it’s just like in cybersecurity. It’s not if, but when. I remember when I was hiring people for IT roles, and I would tell them during the hiring process, “You will screw up. You will push a button and bring the production environment down. You’re going to do something so atrociously horrible that you’re going to stare at it and wonder who is going to kill you first.”
ICSP: Is there a way for businesses to start righting that ship a little bit and be willing to train up other IT professionals?
May: Yeah, I think there is, and it’s just understanding that it’s not a labor gap, it’s a skills gap. There’s plenty of people, so you have to take a risk. Just like all the other kids you’ve hired out of college, they have no experience. They have the knowledge. Let them gain experience.
Don’t be so selective in your hiring of people that you hire nobody. I’d rather have a 22-year-old with a bachelor’s degree and no experience sitting downstairs in my little cybersecurity office, which is probably a broom closet, and doing something, trying to figure stuff out, than having nobody because HR is waiting for the unicorn to come jumping through the door and have all the degrees and certs and be perfectly happy to work for $60,000 a year, even though I spent more than that last year on my membership dues for my certifications.
ICSP: What is one piece of information you desperately wish more people knew about industrial cybersecurity?
May: You have to find a partner. Industrial cybersecurity is an almost impossible cliff to climb, because like I said, the data in industrial systems has to be available all the time. Availability is No. 1. Otherwise, the system doesn’t work. Automation doesn’t work. We have to have automation. As we move forward, there’s going to be more global interconnection of automation and stuff like that. This idea that, “Just don’t connect it to the internet,” that’s a great and beautiful thing to say, but in reality and practice, more and more stuff is going to be connected to the WAN, because we need to be able to do more with less. We need to increase productivity with fewer workers in the workforce. That’s just how the world will go. Since availability is so key and security is second, you need to find a partner that you can trust that can help you.
I’d rather companies focus on their core competencies of producing the widget that they make and do excellently and not try to also become a cybersecurity company and become experts. I mean, hire your assets, build your talent. I’m not going back on what I said a few minutes ago, but the No. 1 thing you can do is find a trusted partner. This is the most difficult portion of it. You can’t go with a vendor who promises that they have a solution to all your woes with, “You just buy our product, and everything will be solved for you.” A good partner is one that will be honest with you. It’s an uphill battle. It’s going to be a slog, but we’re going to work with you. We’re going to work with your revenue. We’re going to try to not impede on your free cash flow to the point where you’re no longer a business anymore.
We’re going to work with you to identify your vulnerabilities and the threats to your vulnerabilities. Then, we’re going to work primarily to shore up those vulnerabilities, to reduce your exposure to the threats that we can identify. In the process, we’re going to work on your compliance-ready state so that you can actually evidence this to a governmental body or some sort of regulatory body that demands that you be compliant. Compliance is not security, and security is not compliance. They’re two different things. If you have a vendor or a partner out there who is selling you a one-size-fits-all solution, they’re lying to you. You need to work with somebody who is honest with you, who will tell you the things you don’t want to hear and will help you prioritize your capital investments. If they don’t seem to care about your capital budget, it’s not the right partner.