When I first started the Hack Your Cyber Career Facebook Group and then the Twitter feed and finally this site, I got a lot of excitement from close friends and peers of mine. I also got some questions that boiled down a series of “why?” This is a really good opportunity to clarify exactly why I wanted to commit to focus my efforts on career development in cyber security and why I think it’s necessary that this happen now.
My hypothesis is that we are digging ourselves into a bigger and bigger hole in a cycle of biased promotion and hiring. By focusing so heavily on promoting the best in breed security people we are missing out on the numerous benefits of diversity or the influence opportunities available to us outside of our tiny security bubble. I’ll elaborate on this hypothesis below in this post, but to make it perfectly clear:
The mission of this site is to close the skills gap in cyber security from entry level personnel to leadership.
I've had the pleasure of coaching and helping a number of people land their first jobs in their field or take a significant step forward. This has been enormously rewarding for me personally to see just what these folks are able to accomplish now.
The Widening Gap
There have been more and more studies coming out lately that highlight a growing skills gap in the cyber security field (read here, here, and here if you’re interested). At the same time, we have a growing reliance on technology across pretty much every industry imaginable, which means that this field has the potential to affect almost every aspect of life today. It looks a lot like this (please forgive the very non-designer quality graphic, that's clearly not my strong suit).
As technologists, we can lean pretty heavily on automation and new technology to solve problems and help scale; this only gets us so far though. Without qualified humans behind that technology or leading the charge on implementation, this plan falls short.
Movements like WISP and BrainBabe highlight the very obvious gaps in women and minority groups holding positions in the field. Much of the work championing inclusivity and trying to close the diversity gap in this field has focused on women and minority groups, I think that is super important. I also think it’s important to point out that we need to consider some of the other factors that inform how an individual thinks, feels, and problem solves, such as:
- Their socio-economic background
- Their field of study
- Where and how they grew up
- Veteran status or the kinds of work they've done
If one of the ultimate goals of promoting diversity in the field is to ensure that we are continuously advancing with fresh, creative ideas then I think we must consider these other dimensions. With that being said, I don’t think one has to downplay the other, it’s simply an additional narrative that needs to be out there. As an example, a student that grew up in downtown Baltimore and studied economics but has a passion for cyber security will approach things very differently than another student who grew up in Berkeley and studied computer science. Both are important, both are valuable, and both will likely add value to their organization and the industry in their own unique way.
One of the biggest downsides of this current lack of diversity is that over time, with more and more people who think and approach problems in a similar way, we drift closer and closer towards groupthink. Groupthink, for anyone who isn’t familiar with the term, is a condition where individuals within a group continuously think more and more like one another, divergent opinions cease to exist or are quickly stubbed out or rejected. I don’t think we’re quite there yet, but I do believe we’re at risk if we aren’t able to address the diversity problems that we have.
Within the security industry, there is a propensity towards blaming others when things are insecure or when they go wrong. My guess is that you’ve likely heard something like this at some point:
- If users would stop clicking on links we’d all be in a much better place
- Developers keep ignoring security policies and writing insecure software
- Executives just don’t care about security so I can’t get my job done here
On top of that, there is a (thankfully) smaller but persistent faction of people in the field who take it a step further and label all of these other parties are incompetent, unwilling, or that they need to be “locked up” or “tased” until they can get it right. Sadly, I am using quotes in that last sentence because I have heard those exact words come out of a prominent security person during a conference presentation they were giving. This displacement of blame does nothing to build relationships and trust with the people we are ultimately trying to work alongside to secure systems, businesses, governments, etc. In fact, I believe that it actively sets us back collectively as a field but within a specific organization, it can have extremely counterproductive effects.
Based on my research, pretty much all resources today geared towards helping people learn and advance their careers in cyber security are focused in three main areas:
- Learning the ins and outs of some technology
- Getting a certification
- Learning a skill, such as penetration testing or incident response
Sometimes this training material overlaps such as with the OSCP certification (which is amazing by the way) where students learn a ton about penetration testing, the tools they may need, the technologies they will eventually break, and if successful, they emerge with a reputable certification. I have yet to find anything that focuses on helping people work through the soft skills that come with working in this field. Resources that help people think strategically about their career in the field, help them develop as leaders, help them develop empathy for other interconnected fields (e.g., development, IT, legal, etc.), and more. Without these skills, I believe we run the risk of promoting, hiring, etc. purely on technical merit which isn’t always what’s needed. At the same time, hiring on technical merit alone doesn’t do much to consider aptitude. You could equate this to a doctor who was brilliant but lacked all bedside manner.
I covered a lot in this article but I hope it helps clear up why I feel this mission is necessary. I care deeply for the field of cyber security and the impact it can have (and already has had) on the world around us, one doesn’t need to look far to find a breach that may have affected them personally or someone they know.