Hard things are hard, security will never be easy

There isn’t a skills shortage for security because these are skills you can’t teach.

teach train direct chalkboard formula
Thinkstock

Hard things are hard. What we call cybersecurity, or infosec, or information security, or even security, is a hard thing. It’s really hard. And that’s OK. If you’re a believer that anyone can learn anything this probably isn’t the post for you, you may want to turn back now. I have no doubt there will be many who don’t agree with me, and that’s OK. Everyone doesn’t have to agree about everything. In this case though this is a topic I’ve been thinking about quite a lot. What we call security can’t be taught: it’s too hard and too general to teach. But that doesn’t mean there is no hope.

There isn’t a skills shortage for security because these are skills you can’t teach. What we really have is a solutions shortage. You can learn to use a solution without having to be the sort of expert current security requires.

Let’s start this conversation by thinking about astronauts. Being an astronaut is hard. If there was an astronaut shortage, you can’t start up an astronaut school to solve your problem. The skillset needed is just too unique. Someday we may see many space related companies, then we’ll need substantially more astronauts, probably more than we can fill using today’s standard. However if we start to see space travel as a commodity the required skillset for an astronaut will end up being drastically different than it is today.

To be an astronaut you need a very odd set of skills, and you have to be really good at them. There isn’t one skill that’s most important. These are scientists that will be responsible for everything from doing a study on bees, to flying a rocket, going outside and fixing a robot arm, and most importantly they have to mentally and physically able to deal with space. You can’t teach this stuff, you have to go find people that fit this description. Security has a similar problem.

You can’t teach these skills because it’s part art, part experience, a lot of working hard, and being insanely curious. Just like good security people, astronauts will never stop learning. Constant learning is just part of the unwritten job description.

Keeping this in mind, what we need isn’t more training for security people, we need to get the existing security people to scale. We need an environment where people with a subset of the currently required skills can be productive. When space travel is commercialized everyone won’t need to be astronauts like we have today. You’ll just need someone who knows enough to get the job done.

Today a lot of security effort is not scalable work. There are many reasons for this, but fundamentally security is like being a renaissance artist. You need to know incredible things that can’t be taught, they can only be learned.

All is not lost though. Logging is a great example where we scaled this out. Could you imagine looking at logs every day? It’s not only impossible, but anyone capable of understanding what’s happening would be wasting their skills. We have tools built by the experts to make logging something we can teach. We use technology to help scale out the work.

We probably can’t teach security in the way that moves the industry forward. There are certain skills that can be taught, but given how fast the industry is moving many of those skills won’t be useful for very long. Imagine what was considered best practices four years ago. The world has drastically changed, do you think academic programs are keeping up? Many recent grads today started learning four years ago.

We’re in the middle of security disruption, it’s quite possible this is just the way it will always be for security. The best security minds are taking it in stride, but any skills learned even four years ago can have very limited value in a modern organization today. We don’t have a skills shortage because we can’t bring more skills online. Calling it a shortage implies we can fill the gap. What we really have a is a solution shortage.

We will always need security pros that are comparable to a modern day astronaut. They will always be a limited resource. What we need more of are solutions that can solve our problems. Then we can teach someone how to use a solution. We spend too much time today focused on the security generalist shortage and not enough time on how to build a solution to meet the current challenges. They’re not the same problem and only one can be solved.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.