I remain an outspoken critic of the notion that we have an actual critical skills shortage. I accept that some folks have a tough time finding and retaining the talent they seek.
Lost in the discussion is often what to do about it.
I’m a proponent of education. My recent work in South Carolina, however, opened my eyes to the concept of a technical vocational track. Think STEM (though I prefer STEAM - that’s another post) that prepares our children for immediate, gratifying jobs that pay well.
What role does higher education and advanced degrees play?
What prompted this conversation is an email thread that started when John Boling shared his reactions to a call for people to get a Master’s degree in Cyber Security. He disagreed.
John Boling (@CySocSci) is a security veteran who followed his own path to success. Currently working as a Senior Security Consultant, he started on the front lines supporting MS-DOS and Windows before completing degrees from the University of North Carolina at Charlotte and the National Intelligence University. A conforming contradiction, he boldly blends business, technology, and social science to understand security threats.
I’ve known John for over a decade. I continue to marvel at the consistency in which he sees things before others. He also routinely helps others make connections that benefit them. I trust his analysis and seek his opinion on a regular basis.
His message caught my attention when it started with a simple summary:
“There is only one, I repeat 1, reason to spend time in graduate school focused on security principals for technology: You have a passion for it!!!”
His message was in response to a blog post suggesting the solution to our shortage was higher educated and advanced degrees. Our resulting discussion shares insights important for security leaders to consider.
A lot is written lately about mindset as a key factor for success. You note the importance of mindset as a starting point for security. Why?
Mindset is the critical success factor in many industries. Would you want a teacher that is just collecting a check to babysit, or one that inspires and encourages their students? While their passion may wax and wane over the years, deep down a successful teacher exists to teach.
The medical industry is another one that shows the importance of mindset within specific roles. Consider all the jobs related to caring for patients. Many doctors would make horrible EMTs even with their knowledge, and many good quality EMTs do not have the desire to pursue a medical degree. These roles are symbiotic and feed different needs for the practitioners. This comparative game can be played for many roles within this industry.
The security discipline requires a desire to solve problems while living in a world of ambiguity with constant change the norm. While practitioners tweak and alter machines to solve problems, much of this activity occurs between the ears. Better tools that highlight what is important continue to emerge, but in the end it remains a head game. This would drive many crazy, they want something concrete.
Some argue successfully meeting the “critical shortage” of cybersecurity professionals requires additional investment in computer science and engineering. I disagree. There are many examples of people in this industry that succeeded despite having the bluechip computer science degree. When asked how they succeed, many tend to point to personality traits or interests that describe this mindset. While base knowledge does help, it does not need to come through a college degree structured around how some succeeded.
What are the common misconceptions you see around the blanket requirements for technical skills and corresponding degrees?
Computer science is an often used educational tollgate. This misleads the hiring process because not all university programs seek the same outcomes. Some focus on preparing students for graduate school through theory, while others offer applied flavors focused on programming, software engineering, and networking. Wide variances exist, but few acknowledge them. Shoot, there was a time some schools offered “big iron” computer science degrees after the die was cast for the demise of mainframes. At best, a computer science degree suggests an interest in technology and a desire to understand how it works. While important, other pathways exist.
Not sure how true it is today, but at one time most CEOs held an undergraduate degree in history or liberal arts. Why not business, law, accounting or leadership? This demonstrates how wrong preconceived ideas about the “right” path for success can be. It is really hard to predict where and how someone lands during their career. Look around the security industry today. How many leaders don’t even have loosely related technology degrees? Even some advocating for expanding and relying on computer science to meet future industry needs do not hold such credentials. I know one with an economics degree from an Ivy League school that should have led their career elsewhere.
The tightly bound box around educational and skills requirements exists either out of complacency or to keep others from entering the arena. Too many see security roles as monolithic when they are not. Like others, this industry needs a mosaic of skills and capabilities to succeed. Not all are technical. And even the technical ones, many do not require guru-like knowledge.
Is there a disconnect between a degree and success?
Yes, just look around. How many coworkers in this industry actually meet the proposed requirements? How many hold computer science or engineering degrees?
Does earning a higher degree equate to higher pay? And is that an important consideration?
It is hard to argue about higher pay and potential for opening up unexpected opportunities coming through the acquisition of proscribed undergraduate and potential advanced degrees. But, example demonstrates no requirement for achieving success. What investment offers the greatest return on investment of time and money? Investing years pursuing a degree or becoming involved in the community while teaching oneself. It’s a tough gamble, but success remains about hard work and perseverance.
Don't get me wrong. I am an academic. I hold multiple degrees, but they fed curiosity. Only one loosely related to security of employment. One could argue that going back to school cost me money. It removed me from a dynamic environment within a large tech firm to end up taking a paycheck from Uncle Sam. Even so, I wouldn't change my path. I cannot dismiss the path others choose. If that path is through studying poetry before getting the computer bug, I'm alright with that path. You should have entertaining briefings. Or, if your path took you on multiple "cruises" while in uniform, good for you. The key is as an industry we must not get beholden to the path, but recognize it takes a mosaic of skills and experiences to fully understand the scope of issues.
What does this mean for a security leader - either looking for qualified people or pondering their own educational path?
The security industry continues a path towards an environment where credentialed knowledge is a requirement for entry. Resisting the temptation to rely on computer science and engineering remains difficult, but must occur. Degrees and certifications are one measurement, but they do not show the “it” needed to succeed in this industry.
The constant change and ambiguity requires a tenacity to propel security professionals forward. Knowledge requirements remain in constant flux. Practitioners cannot sit still. There are few formulas that remain constant. While reinvention brings concepts back, they only rhyme when applied to new computing models and security threats.
Elements of base knowledge exist, but do not discount the need for creativity and passion. It is an industry of structure and chaos. Therefore, a mosaic of skills and experience enhances the industry’s ability to mitigate unknown unknowns. Do not discount the potential contributions an economist or poet can make.
Beyond hiring or learning, the security leader needs to ensure security concepts get embedded into the education process. Just as “don’t talk to strangers” is common during elementary school, these concepts can be incorporated in general education. They are not the exclusive dominion of security programs. Other programs of study should incorporate concepts related to security.