This week saw the launch of a new report launched by (ISC)2 which found that although the majority of the 2500 non-cybersecurity workers surveyed had a generally positive view of people in cybersecurity roles, they didn’t see cybersecurity as a potential career option for themselves.
According to 71% of the respondents, cybersecurity professionals are considered to be smart and technically skilled, while 51% described infosec professionals as “the good guys fighting cybercrime.”
Also, 69% of respondents said cybersecurity seems like a good career path, just not one they see themselves pursuing, as 77% said cybersecurity was never offered as part of their formal educational curriculum at any point. In order to get into the industry, 61% believed they would either need to go back to school (26%), earn a certification (22%) or teach themselves new skills (13%) in order to pursue a career in cybersecurity.
Wesley Simpson, COO of (ISC)2, said the results show while it’s becoming even more highly-respected, the cybersecurity profession is still misunderstood by many, “and that’s counterproductive to encouraging more people to pursue this rewarding career.”
The teaching of cybersecurity as a career may be a generational issue, but in the future, could it be taught more to provide a career choice? Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center), said now, cybersecurity is currently taught at many universities, and some offer courses within the computing departments, but others offer it as part of MBA programs. There are also a number of professional certificate programs available for those who prefer a technical track as opposed to classroom-style learning.
He said: “What isn’t taught, and arguably shouldn’t be taught, is a set of prescriptive rules along the lines of ‘follow this and you won’t be hacked.’ Our digital economy is fast moving with cyber-threats keeping pace, so business leaders should invest in ongoing skills improvement within their teams rather than attempting to attain perfection.
“Similarly, cyber-job candidates should expect their future employers to invest in ongoing training related to threat identification, incident response, mitigation techniques and triage measures.”
Other industry figures Infosecurity spoke to stated that there was a space for cybersecurity to be taught more in schools. Paul Bischoff, privacy advocate for Comparitech, said the field is certainly growing to a point where it could be taught as its own subject, “but right now it is mostly bundled together with other computer science degrees.”
Also, Niamh Muldoon, senior director of trust and security at OneLogin, said she has “been adamant in trying to get governments and regulatory bodies to recognize the importance of protecting the most vulnerable in our society, and our young fall into this category.”
“I would love to see cybersecurity as a subject in schools,” she added. “I was not very studious at school and only found my passion in the cybersecurity industry when I started working in it. With the global shortage of cybersecurity professionals continuing to grow, it would be great to attract and retain more cybersecurity professionals into the industry by fueling their passion at a younger age. I have no doubt our industry would benefit from the diverse and inclusive skillset they would bring along with the cybersecurity innovations.”
“The reality is that most cybersecurity incidents aren’t as adversarial as portrayed on TV”
A section of the (ISC)2 survey focused on perceptions about the industry as seen through TV and movies, with 37% of respondents stating that was where they got their understanding of the industry. Also, 31% said their idea had been formed by news coverage of security incidents.
This led Infosecurity to wonder, does cybersecurity have an image crisis, where people think a security role is like it is on TV, but not something the average person has the skills to do? Mackey said popular culture has created an impression that hard problems, like those associated with managing a cyber-incident, are simultaneously highly skilled and quickly solved.
“In effect, the portrayal in media assigns an attribute of quick decisive thinking to the process – an attribute that potential cybersecurity candidates might not view themselves as possessing,” he said. “The reality is that most cybersecurity incidents aren’t as adversarial as portrayed on TV, and that two of the most important skills to become a professional in a cybersecurity discipline are strong problem solving abilities and attention to detail.”
Chris Hauk, consumer privacy champion at Pixel Privacy, argued that “most people think cybersecurity involves maneuvering a 3D maze filled with grinning skeletons that represent malware that must be zapped by the BFG virus zapper” rather than applying patches to keep operating systems and applications up-to-date and ensuring a firewall is blocking what it is supposed to be guarding against. “It is all character based or a bit of point and click, and quite boring.”
He claimed that a lot of the skills for cybersecurity mostly consist of common sense, and this means guarding yourself against everyday threats on the internet by running anti-virus and anti-malware protection, and avoiding clicking on links and attachments in email and text messages.”
However, Muldoon said she does not believe cybersecurity has an image crisis, but admitted there is bias with regards to what a cybersecurity male and female professional looks and acts like. “Throughout my career, I have witnessed this at all levels of an organization including board level,” she said. “These biased images include physical stature and voice.”
Muldoon explained, to be successful in this industry, physical traits are irrelevant, and you need to be agile, calm and collected as well as resilient and mentally strong. “A key step to changing this is having role models in cybersecurity visible to our younger generations, and particularly young females need to have women to look up to and aspire to. Ask yourself, how many times have you seen a lady in a TV ad, TV program or movie play the role of a cybersecurity expert? A handful right? I thought so. Maybe (ISC)2 and Netflix should consider partnering together with a series or documentary of female cybersecurity experts around the globe. I can tell you that this would definitely be worth a watch.”
It is always interesting to get a perspective on how our industry is perceived from the outside. Yes TV and cinema do provide an outlet of professional identity, but too many times the good examples have been outweighed by the bad – remember the NCIS hacking scene? If this looks like an interesting and welcoming industry, we’ll do well to ensure that people know it can be an option for them.