The tour of the canal development was over. Famed economist Milton Friedman wondered why no powerful earthmoving equipment was in place. He asked why the workers only had shovels.
The explanation was the importance of the effort to create jobs. Friedman’s response (and more history here):
“Oh, I thought you were trying to build a canal. If it's jobs you want, then you should give these workers spoons, not shovels.”
Consider the perception of a shortage of qualified security talent the same way. Is the real answer the need for more people? Or have we missed opportunities to use more powerful solutions? Remedies that extend our capabilities while improving security.
I know clients and colleagues struggling to staff their teams. I accept for some, the challenge is real. But local challenges do not signal a global crisis. While some believe perception is reality, sometimes perception just creates pain.
Here are some considerations on why we’re experiencing this issue:
1. Newfound demand outpaced current supply. This is temporary. How temporary is dependent on a variety of factors. We are not limited by our educational system. Instead, we must again consider the right attitudes, aptitudes, and skills we need.
2. We struggle to define what a security professional is, and what the role entails. We need a consistent method to test and measure performance. Consider the benefit for hiring, development, and promotions. In the absence of such a standard, we declare a lack of ‘capable’ professionals.
3. Our lack of defined pathways is an unexpected obstacle. Because so many of us figured things out on our own (or in small, tribe like groups), we continue to explore and debate the right way to do things. As a result, we’re a bit fractured and confused as an industry. That complicates the hiring process.
4. We rely on human capital where technology is superior. And we rely on technology where human capital is superior. For example, the struggle to automate basic functions (while arguing about fundamentals). Common efforts just create more work. With a mindset of owning anything security, the only solution is more people.
5. We're not solving problems, just kicking the can down the road. We continue to struggle implementing known controls (segmented networks, access control, etc.). At the same time, our environments have evolved. Data proliferated. It feels like we are running on ice.
Why it feels like a crisis
These five points combine into an experience unpleasant for most. We recognize a lag in workforce development under increasing pressure to perform. New technologies and solutions are hard to test. Harder to measure their value.
Over time, market demand creates an incentive for more people and more innovation. Sometimes hard to recognize, it is happening.
The perception of a talent shortage manifests itself in a two notable challenges:
- Candidates of average quality can afford to be picky
Retention is a problem; we experience a lot of job hoppers, looking for a better fit
Shortage aside, this is an opportunity for leadership.
Focus on understanding the environment and actual challenges. Rank efforts. Call for real solutions and support vendors innovating in ways that reduce our workload.
Create an environment with defined roles and clear pathways to progress. Invest in on-the-job training (OTJ) to develop the individuals of the team.
Lessons in our own development
How did you get your start in security?
Most people I survey reveal they started in another field. Few have a formal degree in technology. Security tends to be a profession that chooses us, not the other way around. As such, many of the leaders I work with got their degrees and starts in other fields.
While it created some complications (see #3 above), this is a good thing. And it reveals a short term pathway to solve local talent crunches.
What worked was the right combination of aptitude, attitude, and ability. From that, we learned the skills of security. It's no different today.
The leadership opportunity: develop people
The function of leadership is to produce more leaders, not more followers. ― Ralph Nader
Exceptional leaders develop people. When faced with a shortage of talent, consider looking for people without security experience. Instead, focus on the right aptitudes, attitudes, and abilities.
Then teach them the skills they need to be effective. Make sure they learn to apply the skills. Exceptional leaders focus on the individual leadership and communication skills of their team, too.
Create the environment that attracts the right people. Offer them a way to contribute. Allow them the use of their voice. Build a team recognized for making a difference. Allow each an opportunity to grow.
Reflect back on how you got your start. Consider what you would do different with what you know now. Build on the advances we have made with the qualified people you have. Then you don't have to worry about a shortage of talent.
Be a leader who develops talent and advances security.