The cybersecurity skills gap is caused by a lack of vision in the industry rather than it being a pipeline problem, argued Wendy Nather, head of advisory CISOs at Cisco, during her keynote address on day three of the Infosecurity Europe virtual conference.
Nather, who was recently inducted into the Infosecurity Hall of Fame, believes it is a complete misnomer that there is a lack of talent available to fill the expanding number of security roles. Instead, it is down to the industry “to open our eyes and see what’s in front of us, namely that there are sources of great security talent everywhere.”
Nather then showed a collage of high profile security professionals representing a range of demographics, including those often not associated with technical IT skills, such as older people. She said this demonstrates that anyone from any walk of life has the potential to be successful in the sector.
She added that it is vital to recognize that there is a range of pathways into the security industry, and it is quite possible to move across from a completely different profession. “They just need to be able to innovate and then they can learn the technology,” outlined Nather. “People are capable of learning all sorts of things; you don’t have to go for the person who is exactly like the last person you had in this position."
In fact, it is a great advantage to a security team to have personnel from different backgrounds and experiences. Nather gave the example of hiring a man called John Skaarup, an army veteran of 21 years, based on the mindset he demonstrated during her interview with him. Nather said that “he turned out to be one of the best security colleagues that I have ever had” and is now a cybersecurity officer, running the security operations center at the Texas Department of Transportation.
Nather then offered advice on how those involved in the hiring of security personnel can adapt their practices to open their doors to a much wider pool of talent. She observed that there are already highly knowledgeable people familiar with security but whose skills are not recognized for various reasons. These include the way they speak – if they do not use traditional security terminology. Nather commented: “Just because they don’t know the right lingo doesn’t mean they don’t know the concepts and that they can’t apply their skills.”
Nather also said that organizations need to be more careful about how they word their job descriptions, as they can often come across as overly restrictive to many good candidates. This includes postings asking for “ridiculous amounts of experience” in relatively new areas, like Kubernetes.
She added that this was a particular issue for candidates from underrepresented groups as they are “less likely to apply for positions where they fit the description 100%.” Therefore, asking for too many qualifications risks “cutting out the person who you need for your team.” To help prevent this situation from occurring, Nather believes that senior security personnel should be making this case loud and clear and “fight for latitude in hiring.”
In addition, a greater emphasis on soft skills should be made during the hiring stage, according to Nather. She argued that these types of attributes are just as valuable to an organization as the specific technical expertise, as the right people will be able to add these such skills to their repertoire in any case. For instance, she believes more value should be put on “tact, collaboration, the ability to explain things to anybody using very small words or the talent to be able to create something that people enjoy using.”
Concluding, Nather offered some takeaways for how the cybersecurity industry can grow the skills pipeline and diversify the people working within it. These include taking the initiative to discover and meet people from underrepresented groups rather than simply posting a job online. “To find the best people, you have to put in the work,” she explained.
Finally, Nather provided what she regarded to be the most crucial takeaway of the presentation, which is to recognize that “what I knew back then doesn’t matter now.” Simply put, the cybersecurity industry is evolving so quickly that the ability to adapt and learn new skills now is more important than past experiences in the field. She concluded: “What matters now is that we are all on the same starting line - we are all in the same race to learn. So look for the people you want to run with.”