Why Security Skills Should Be Taught, Not Hired

Chief information security officers (CISOs) across the globe have long lamented the fact that so many job applicants lack the security skills they need to fill crucial security positions.

Put bluntly: IT leaders have simply failed to create a pipeline of new professionals over the last 20 years. We’re now starting to pay the price as the threat landscape rapidly expands and information security becomes part of everyday life.

Think about the types of people who view security as a potential career. Many of us got into the field because it seemed like the only choice we had. We pursued a career in security because we were curious and adventurous — and we couldn’t stop thinking about it. Most first-generation security professionals champion this mindset, and many contemporary professionals do as well (especially our best researchers).

There’s another group of security professionals who simply view security as a job and leave it at the office when they go home at the end of the day. This type of thinking isn’t exclusive to security. Most industries are made up of people who simply want to perform their jobs and concentrate on other things after hours.

This is the stabilizing factor that takes an industry from a fringe element to a core part of the organization: No matter what career path you choose, a small number of people will view their job as a passion and a large number will just want to make a living.

Why is this relevant to the daunting task of training of new security professionals? Creating the next generation of security professionals is hard work — and we’re not really prepared. The thinkers (i.e., the passionate, seasoned professionals who’ve been in the industry for decades) often expect new employees to share the same love of security and the same depth of experience we had at their age. But that’s not a realistic expectation.

Like many parents, I recently watched one of my children walk across a stage and accept his high school diploma, alongside 1,000 of his peers. He’s headed off to college in the fall with the bare minimum of skills he needs to perform the basic functions of life — aiming to learn enough to take him to the next step. But that’s all a college degree will be for him: a next step.

For better or worse, college doesn’t truly prepare students for the real world. It presents them with a wealth of knowledge, some secondhand experience and — if they’re very lucky — a little bit of real-world experience. It does not give them all the tools they need to perform in real situations that are messy, unbounded and complex. It takes the scars of making mistakes (and learning from those mistakes) to transform knowledge into wisdom.

So, how can CISOs alleviate the skills shortage we face in the security industry? In the short term, there really isn’t a solution. We have to admit that colleges will rarely be able to deliver candidates who are capable of dealing with the complexity of security from day one. Then again, very few industries expect that out of college graduates. An automobile manufacturer wouldn’t hire a newly minted electrical engineer and expect him or her to design a wiring harness for the next model of its car, for example. The company would start the new employee small, nurture him or her, gradually increasing responsibility over time.

I see two viable approaches to growing talented security professionals — and neither works overnight. The first is to hire talented people in junior roles and train them up over time to be senior security professionals. The second is to hire talented people from adjacent professions and train them to develop the skills and thought processes security professionals need in their daily lives. Of course, neither is a quick solution to our pipeline problem.

There’s an old joke that goes, What if we train our people and they leave for better jobs? But then again, what if we don’t train them and they stay?

In some ways, this is a false dilemma because employees of all stripes have long valued opportunities for professional development. Well-treated and well-trained employees are more likely to be loyal to a company than they are to leave. The flip side of the equation is that job roles, responsibility and pay all have to grow along with the employee’s skill level. Security is a dynamic field and employees will not be happy if their skill level has grown, but their job hasn’t.

Training doesn’t have to come in the form of a college course or trip to a big hacker conference. Employee-led training on a regular basis has the dual benefit of allowing senior staff to show off their skills while also transferring those same skills to junior employees. While it may take a little push to get into the habit, a weekly or semiweekly discussion of topics can raise the base knowledge level of the entire team, especially if real-world examples are included in the training.

Hiring from adjacent fields of expertise makes for some interesting knowledge transfer. As an example, there’s always a need in security for people to write — and it’s easier to teach someone about security than it is to teach a security professional to write. Pairing a good writer with a senior security professional lets them both learn new skills. It only makes sense to extend that same pattern to other types of roles in security.

One of the biggest intersections of hard-to-hire careers right now is security and data science. There simply aren’t enough people in the world who are highly skilled at both disciplines, and the salary they can command places them outside the reach of most organizations. As a result, the only option for many companies is to hire a candidate with one skill and train him or her in the other.

We are in a state of deep technical debt in security, and there’s no hiding it. Almost all of the threats our peers were warning management about a decade ago are now the realities we face on a daily basis. Because security wasn’t seen as essential — and because the pipeline wasn’t created in colleges and universities — we’re facing a hiring shortage today. Perhaps most importantly, since no education can prepare a student for the real world, training is our only option to fix the problem.

Only a few organizations can afford to pay the salaries required to hire the top talent in our field. The rest of us need to train people internally and help our new hires develop the skills we need them to have. Using training and promotion as an incentive to hire and retain employees seems to be a logical solution — even if it’s going to take long-term planning to make it effective.