We’ve all read and heard somewhere about the cybersecurity skills shortage. For me, this brings up the question of how to solve the cybersecurity skills shortage.
In my life, I’ve learned that every problem has a solution. Solving the cybersecurity skills shortage should be no different. It is just a matter of giving it some perspective and being creative.
This creativity works only if you are willing to put the effort into applying the solution that this problem requires.
Solving and closing the gap for the cybersecurity skills shortage can’t be achieved with the traditional education and formation of employees by creating a curriculum in a college, training a person on how to “do” or “work” in cybersecurity, submitting an application for a cybersecurity job, then hiring the selected candidate to fill the position.
It just hasn’t worked until now and It won’t work.
Stop treating this profession as a profitable mass education opportunity like just any other profession. Again, it won’t work.
This is a profession that requires a level of understanding that the usual professionals are not getting. I’m referring to people from the HR department, some traditional top executives that don’t get it and high paying employees which think that this can be solved by throwing the traditional HR hiring structure.
I’m telling you again, it won’t work. I know this because it hasn’t been working for which the gap exists today.
In science, I learned that if you apply a framework to an object to change a content, and if it fails, then change the framework, not the object. This thought was exemplified by an old saying “only stupidity can make you think that you can obtain different results by doing the same thing over and over”.
Changing the framework
These are the ways that I’m proposing here on how we can close the gap on this cybersecurity skills shortage, which worked for me.
How can companies, large or small, do their part
Some companies incur in poaching the best talent from other companies which contributes to the lack of initiative in closing the cybersecurity skills shortage gap. Just ask any Headhunter. Their job isn’t to contribute to closing the skills gap of any profession. Their job is to solve a short-term necessity.
They have poached employees that my company has invested time and resources in them. Some left and returned to me because they thought the grass was greener on the other side while others left for good. This is a reality of the job market for niche specialties such as cybersecurity and IT personnel trained in niche areas.
I have nothing against Headhunters. They have approached me several times to see if I wanted to work with other companies and they kept me up to date with the short term necessities of others. They are just doing their job.
Here are some ideas I’ve implemented and worked for me on how companies in need of cybersecurity personnel can participate in closing the cybersecurity skills shortage gap.
Creating alliances with community colleges
There are community colleges that offer degrees in IT Networking or IT Security or similar degrees, which serves as a precursor and a great education baseline for understanding the work of a cybersecurity specialist. There wouldn’t be a cybersecurity specialist without understanding these IT basics.
These community colleges generally like to create partnerships with companies willing to provide the hands-on experience for these students for their practice.
Sharing My Experience
For example, the Pharmaceutical manufacturing company I use to work for had alliances with several community colleges to provide these hands-on experience to these students.
By creating these alliance, I saw an opportunity to close my company’s IT skills gap. Because my company was growing at a fast pace due to the demand on the products we were manufacturing, we were required to grow our in-house IT personnel and skills at the same pace, which was a challenge.
The challenge to grow our in-house IT personnel was one thing, but getting the IT personnel with specific skills sets was another. As a highly regulated industry, my employees were required to have the skills mostly known to be had by IT personnel and then some.
Specialized skills were required because of the industry we were in and also due to the level of customization of some equipment and processes that no college could teach you to manage and use, therefore the challenge on acquiring IT personnel with these skills.
The way the IT skills gap was closed in my company for the Level 2 support and above in part was by taking the students from these community colleges and training them with the skills we needed. These students were prepared in their college with the required IT Networking and Security skill sets, and I took care of providing the more in-depth training to the students I knew could perform the job. I call it a win-win.
This is the way I contributed to closing the skills shortage gap in my company.
There were several benefits of implementing this program from a management perspective.
The way I sold the partnership alliance to the company’s stakeholders was by explaining the benefits of acquiring this specially trained employees to satisfy our company’s skills requirements and by the same token, I explained how much we were saving in our salary budget by hiring these students trained by my team and who performed very well in the job.
I compared it with the industry practice of poaching from someone else, when offering this employee more with bonuses as a common practice to hire them, and the salary we had to pay this employee.
By putting this into perspective, the stakeholders were able to understand the benefits of the alliance partnership.
I had to put more effort into training a student with just the basics, versus just hiring (poaching) someone with the experience in the industry, but I was willing to go the extra mile. I knew that these students wouldn’t have something that I encountered in most cases of poached employees and that is lack of good documentation practices, which is a must in our industry.
Having good documentation practice is something that you can’t just teach to anyone who has been working in the IT field for years. It is a skill you need to have and develop just like any other IT skill and know how to do.
I’ve seen cases of employees poached by other companies that didn’t have this skill and improperly documenting some system process, which could unqualify the compliance state of an equipment already in production, and cost the company millions or even worse, receive a visit from the US Federal regulatory agency Food and Drug Administration (FDA) and receive what is known as a Form 483. This could spell disaster for any pharmaceutical company.
What Really Makes a Cybersecurity Specialist
In my post “How To Start Your Own Cybersecurity Business” I mentioned that part of becoming a consultant with your own business would require from you to be genetically engineered by nature to see things differently. I’m not saying that you have to be a mutation of nature, although some will see you like that.
What I’m saying is the will required to start your own business goes beyond just wanting to do it. It requires a level of crazy obsessive passion to start it and keep at it. After that, you need the initiative to move forward.
Initiative is a word I don’t hear that much during the day. I mentioned it 10% to other people and the rest I say it to myself. Having initiative is very important if you want to make a deal or execute a plan you have.
Don’t wait for others to tell you when. You have to make the decision.
What I’m saying here applies to every cybersecurity professional out there, I included. We are in a field that requires initiative and a level of willingness to cross some lines in order to achieve our goals.
Our characteristics and behavior are very different from other professions. We perform best when put between a wall and a sword. Challenge is our biggest motivator and mystery is just a problem worth solving.
What makes a cybersecurity professional is not a regular formation of education from any academia, not even the titles we are given, No.
What makes us is the stubbornness we develop when someone says “You shouldn’t do that”. That, right there, is what makes us.
Our job is not only to protect systems from unauthorized users. That is the job description for the world so that they can understand what we do for them.
Take notes, personnel from HR…
Our real job is to take your system and tear it apart, understand its intricacies of how every single part and system’s component works on its own and works together. That, right there, is what we do best.
We have to understand things by tearing it apart in order to understand it’s vulnerabilities. Knowing where the vulnerabilities are will allow us to better protect any system.
We love taking systems apart and see what other uses they have. This is the very definition of a hacker. This is a synonym of what a Penetration Tester does or an InfoSec specialist does. We cross the line on purpose to see how well protected a system really is because when a cybercriminal does the same thing, they aren’t going to ask for your permission either.
When you hire a cybersecurity specialist, you are not hiring someone that you can control. You are hiring someone you should set free. Just give them the tools to do his or her job and let them do the rest. Trust me when I say that they will come up with results.
Understanding the characteristics and behavior of a cybersecurity specialist is important if we want to close this skills shortage gap because the truth is that we are not made to be measured by the common hiring rules from Human Resources.
Our expertise and education are from Hard Knox. Our teachers and professors have the same name, Experience. Our references can only be found in the digital world and only for someone like us to see and understand.
The HR department needs to understand that they can’t find what they are looking for via the traditional ways. The academia is way behind on the technology and methodology we use to do our job. No one and no institution can give you the blessing you are looking for, because they don’t know either.
I’m saying all of this so that the HR department personnel from any company looking to hire a cybersecurity specialist can understand who we are.
As I said, only one of us can understand who we are. In this case, what I can recommend someone from HR to do is to hire someone with the cybersecurity expertise and with a management background.
I see your thoughts rambling and saying “But you just said that there was a skills shortage for cybersecurity, now you want me to hire someone with a cybersecurity and a management or team leading background?”
Yes, and here is why. If you need to manage a diverse team of cybersecurity professionals, then you need someone who can understand their goals and their action plan. Their goals and action plan are somewhat unconventional because you need to understand that we have to put the system under arrest from time to time in order to test its vulnerabilities. Let’s just say that we are the nature’s equivalent of the white blood cells of your body, but for your system.
Putting this diverse team under the supervision of someone who doesn’t understand or doesn’t get it, will create friction. The advantage of having this team leader is that the company can rely on this person and then this person manages the team to complete the work.
The same principle applies when outsourcing. You can’t outsource risk. You can outsource the team that will work with your risks and vulnerabilities, but the risk will always be with you.
Even though you outsource the cybersecurity team, you still need to have someone in-house responsible for your risk and who will be managing this team.
Creating an apprenticeship program
Companies with in-house IT Personnel can implement what is known as an apprenticeship program. This is really easy to implement and requires no additional costs.
For example, let say that you need additional resources for a specific area of cybersecurity. Look inside your department for a candidate and if you can’t find a good candidate, then spread to other internal departments, not necessarily in IT. If you were able to find a candidate with the basics to understand how cybersecurity works, then take this person and place him or her under the wings of a senior and more experienced person that can teach the new apprentice.
We did this from time to time in other areas as well. For example, we couldn’t find a candidate that met our requirements for an IT Compliance Manager, so we look into other departments and found a candidate. We placed him under the supervision of another Compliance IT Manager from another manufacturing plant and soon we had our own IT Compliance Manager.
Sourced and bred by an in-house program.
No amount of statistical data from any source can help you fix the shortage if you don’t take action.
The headline news will always be there and will only get worse if you don’t start with a plan and take action to narrow the cybersecurity skills gap.
It all begins with you.
by Edgar Vera, MS Cybersecurity