A recent wave in the cybersecurity world has been creeping into conferences, discussion forums and networking meetings that is creating a dangerous trend for the profession. What trend you ask? Exclusivity. It’s becoming pervasive. Phrases in decisions of hiring like:
- “They’ve never found a zero day, so they aren’t really a cybersecurity professional.”
- “What do you mean you don’t know how to (insert subject here) you must not be in cybersecurity.”
- “How could you not know something like that?”
The list could go on. Slowly but surely, we are all becoming cybersecurity snobs. We see the constant stream of articles about how our profession is short 500,000 or more bodies to fill the skills desperately needed. We complain about the ridiculous job postings requiring someone to have a CISSP for an entry level position, and yet we smirk when someone doesn’t know something about a subject in our given concentration, or we make jokes about the guy we met who didn’t know that “any-any” was a bad idea.
Cybersecurity isn’t what you think it is. It’s not just your team of firewall experts who could recite the Cisco manual backwards in their sleep. It is essentially a sales job. Our job is to convince our leadership to invest in security technologies and people from a looming threat that may not have happened yet, or may never happen if we did our job right.
Once we receive that investment, we’re trying to convince people that it is working and that we are preventing attacks from being successful, when in actuality it is counterfactual: We can never know that something we installed prevented a set amount of breaches, just as much as we cannot prove that if we had invested in a technology it would have prevented an attack after it already happen.
We need more people who can translate tech-speak into things our c-suite can understand in terms they’re familiar with. A cybersecurity professional can be business user who you fostered a relationship with and now knows to spot compliance issue with end users and send it your way. They cannot only be your penetration testing team who could find their way into any system but your privacy team, who is coaching staff to think about the data they are using and how to use technology to limit what people have access to.
Cybersecurity needs to be less of an exclusive club of overtly technical folks, instead, we can and should include and train people who don’t have technical backgrounds. Cybersecurity has a multitude of domains and concentrations ranging from network security to compliance and risk management, but it is much more than that.
Cybersecurity touches every facet of an organization, from its firewall rules all the way to its personnel letting someone into a building. The creation of inclusivity in cybersecurity affords the opportunity to teach, learn and foster collaboration across the spectrum of both IT and also business and end-users alike. The questions we should be asking for a more inclusive approach may look like:
- “How would you tell a business user what they’re doing is risky behavior?”
- “How would you solve a security problem if the most common option is not able to be done?”
- “How would you solve a business problem that may also impact security or compliance?”
- “Why do you think security is a business problem?”
- “Could you translate what technologist is saying into a data flow diagram?”
Cybersecurity is a shared responsibility and our industry’s culture needs to reflect this. Changing the narrative, and creating more inclusivity will go a long way.