I have been writing about the skills shortage in cybersecurity for years. Often when we reporters cover this topic, we note that many estimates predict there is a global shortage of around 3 million cybersecurity professionals.
But it’s a topic not without controversy. For every person I interview who claims it is near impossible for businesses to fully staff their security teams due to the profound lack of skilled security pros, there are others who claim these problems are overstated. And another perspective I hear at times is from those trying to find employment—these folks often ponder on social media how the skills shortage can be so drastic if they cannot so much as get an interview in infosec. It is perplexing, indeed.
All of this considered, a recent article in Venture Beat about the skills shortage caught my eye. It was written by Fredrick “Flee” Lee, the CISO of Gusto, a platform for payroll and benefits administration. Titled “Calling BS on the security skills shortage,” in it he argues the skills shortage is not about an actual lack of people who can do security work; rather, it is being felt by hiring managers all over the globe because the process of hiring in security is broken. Lee argues everything from the interview process to the attitude of hiring managers and the industry as a whole needs to be overhauled.
Intrigued, I asked Lee to go deeper into the topic with me on what he sees as the barriers to hiring in infosec.
Security Boulevard: You mention in the article that security has a “secret-handshake-society mindset that enables a lack of diversity in the workforce, deters new entrants to the field and, ultimately, undermines our ability to stay secure in the long run.” Can you elaborate on that?
Lee: I’d imagine, if you ask most folks to envision a cybersecurity professional, they’d probably conjure up an image of a hacker in a hoodie hiding in the shadows hunched behind a laptop. And, if you asked them what a cybersecurity pro actually does in a given day, I’m not sure they’d be able to tell you. That’s because cybersecurity has cultivated a “dark arts” attitude. As an industry, we’ve adopted the mystique of the “elite hacker” which can make us seem like a standoffish clique. And that’s not serving us, especially when it comes to hiring.
Security wants to be known as the coolest team in the room. And that’s an issue, especially when it comes to hiring. The industry has created so many walls that we’ve become insular. And that attitude has translated to homogenous hiring practices. We need more people to explore careers in cybersecurity and to see themselves in this field. Elitism creates barriers to entry and intimidates people from pursuing cybersecurity roles. That’s especially true of people from underrepresented groups or unconventional backgrounds.
Cybersecurity, on the whole, needs to build a more inclusive culture that welcomes people from ALL backgrounds, including those who don’t necessarily have degrees from the same handful of elite institutions. That starts by changing the stereotype of the cybersecurity pro. If we hire from a narrow funnel of applicants—who are educated the same, think the same, and look the same—how can anyone outside of that pipeline see cybersecurity as a viable career to pursue?
Security isn’t sorcery or a sleight-of-hand magic trick. What we do on a daily basis doesn’t need to be indecipherable to the outside world. We need to communicate what we do in a way that’s easily and widely understood. Security should sacrifice being elite and exclusive so it can prioritize being effective. When we treat security like an exclusive, “secret handshake” society, it silos us off and creates blind spots that lead to vulnerabilities. But, when security is approachable and we create an environment where it’s easy for folks to ask questions and use features, people want to actively engage with and utilize security solutions—and may even prompt them to explore careers in our industry.
SB: Sometimes when I cover this topic, I inevitably hear from people who say, “If there is a skills shortage, why can’t I get hired anywhere?” There seems to be a disconnect between what job seekers are observing and what hiring managers are experiencing. What’s behind that disconnect?
Lee: The disconnect lies with the cybersecurity hiring managers themselves and how they communicate their needs to the broader business, especially the recruiters who are scouting candidates on their behalf. Hiring managers need to have the courage and confidence to explain why they’re bullish about a resume that doesn’t look like all the others in the stack, or why it doesn’t read word-for-word with what’s listed in a job posting. Cybersecurity needs to guide recruiters to understand the value of finding diamonds in the rough and give them the support and latitude they need to seek them out. That way, resumes aren’t filtered out too early in the process.
That said, candidates—particularly those who are changing careers or hoping to break into cybersecurity—still need to make themselves stand out. Adding an alphabet soup of certifications to your resume isn’t the only way to do that. I find the best way to set yourself apart is storytelling—your ability to build a narrative for yourself that explains your experience, contextualizes your transferable skills, underscores your problem-solving abilities and highlights your growth mindset. Giving yourself a hook makes it easier for people to understand your unique story and how your skillset would be an asset to the company.
SB: I also hear from security veterans on hiring who say, “Of course inexperienced people can’t get hired. Who would hire someone to protect something they have no experience with?” What is your reaction to this mindset?
Lee: A big part of the problem is what I call “brand name hiring.” Hiring managers chase brand names and over-index on pedigree all the time, because they believe degrees from elite institutions or specific certifications offer the strongest baseline of insight into a candidate’s knowledge base and experience. And, resumes like those can be much easier to defend to higher-ups in the company. But, there’s no such thing as a bulletproof resume, and a surefire candidate on paper isn’t always a sure thing in practice. In fact, I believe brand name hiring can breed biases that can become blind spots for the business.
Cybersecurity isn’t an industry built on safe bets and sure things. It’s based on innovation and bold thinking. Cybersecurity is an ever-changing field with an ever-shifting threat landscape. This industry is never static. Even experts in the field, including those with decades of experience, are going to encounter new challenges every day. That’s why we can’t afford to hire the same candidates from the same narrow pipeline of established talent. Every cybersecurity professional was a “n00b” at one point, which is why we need more humility in the hiring process.
SB: You note in the article, “Prioritize potential over pedigree.” Again, some security folks think that’s too risky. Is it?
Lee: There’s an advantage in shifting the way we evaluate criteria to gain a more holistic sense of candidates and what they’re capable of doing, versus what they’ve already done. Too often, we look externally for skillsets to be filled before a candidate gets to us, either via degrees, certifications or completed coursework. But, as a company grows, there is more and more opportunity to develop your own learning and development initiatives for skills-building.
And that’s a good thing, because not all certifications are created equal, and having a certification isn’t necessarily an indicator of how effective you’ll be in applying that knowledge to the work at hand. For any hire, skills are undoubtedly important, and assessments are—and should be—part of the process. But, it’s important to factor growth potential into the equation by evaluating the job a person is capable of doing instead of fixating squarely on the work they’ve already done.