Why cybersecurity victims will grow

It is no secret there is a worldwide cybersecurity skills shortage. In fact, this shortage is often described as a “crisis”.

But the response to this crisis is always to deal with the supply side of the issue. Nobody is thinking about approaching the problem from the demand side. For example, the Australian government recently held a Jobs and Skills Summit and all the solutions are from the supply side, of which training and immigration are the most often mentioned ones.

Demand Side Dysfunction

In cybersecurity (and in the wider tech industry), the demand side of the problem is especially acute. This 2019 report mentioned that cybersecurity graduates, despite having skills in high demand, faced difficulties in finding employment:

However, it will take time before this pipeline of graduates is ready to enter the workforce, and even then, they may face obstacles because of outdated hiring practices.

In that report:

In addition, there are signs that employers’ hiring practices may be exacerbating the lack of skilled workers. For instance, two-thirds of information and cyber security professionals surveyed by the Australian Information Security Association in 2016 cited management’s failure to understand skills requirements as a key driver of the current cyber skills shortage, while just over half said employers were reluctant to recruit and train entry-level candidates for cyber security roles.

A CISO representative explained,

"HR writes position descriptions based on things that they know how to assess, like qualifications and experience. The new cyber security workforce doesn’t yet have these qualifications or experience."

This report is consistent with what I wrote about the utter mindlessness of how recruitment processes actually work:

That is why the job market is so brutal. The hiring process is done this way because it is convenient and cheap, not because it produces the best outcome for both the company and the candidate.

As I explained further, the outcome of such widespread dysfunctional hiring practice is this:

… companies are only looking for those with the exact configuration of previous experiences to fill vacancies. This implies that companies are hiring people who are trained and experienced at others’ expense. There is widespread reluctance to invest in the skills, training and development of both existing and new staff.

This hiring culture betrays an underlying selfish motivation. If companies invest in developing their staff, then when these staffs are poached by others, then they are, in effect, subsidising the training and development of staff for other companies. Therefore, companies are adopting the attitude of NOT training their staff. Why invest in training and developing their staffs’ skills, only for them to be poached by other companies, who will then enjoy the fruits of their investment? Therefore, companies would rather be the ones poaching other companies’ staff.

Unfortunately, this widespread practice results in a chronic under-investment in skills, training and development in the economy.

In the context of cybersecurity, the outcome is that the skills shortage crisis is being exacerbated by cheap, convenient and expedient hiring practices that are worse than ineffective, they make the skills shortage problem even more acute. Such hiring practices are counter-productive to solving the skills shortage crisis.

In fact, there are some signs that hiring practices have degenerated into a farce. These are a couple I saw on LinkedIn:

[caption id=“attachment_560827” align=“aligncenter” width=“799”]

The attempted humor in the top classified ad is one thing, but the idea that a company would require 10 years experience for a programming language launched five months ago is the real joke.[/caption]

Personally, regarding the Carbon programming post immediately above, I was approached by a cybersecurity recruitment agent who confessed she had no idea what the job requirement meant.

To make matters worse, businesses and governments automate their dysfunctional hiring process with mindless software algorithms. As this Wall Street Journal article reported,

Companies Need More Workers. Why Do They Reject Millions of Résumés? Automated-hiring systems are excluding many people from job discussions at a time when additional employees are desperately needed.

And so, this leads to the magnification and scaling up of farcical hiring processes.

Is cybersecurity skills shortage a myth?

The dysfunction in the demand side of the skills shortage is so bad that there are now push-backs from the grassroots levels. There is now a registered non-profit organization, Cybersecurity Gatebreakers, that is formed to deal with this problem:

The cybersecurity skills gap is a myth.

There are tens of thousands of bright, passionate, and high-potential people around the world, hoping desperately to break into cybersecurity. But there is no room for them; most “entry-level” job openings require years of experience, formal technical education, and a litany of professional certifications.

But why is this?

Certainly, there is entry-level work in cybersecurity. You don’t NEED five years of experience, a college degree, or a CISSP to do many of the basic tasks found in cybersecurity. This is true across almost every domain, subdomain, and specialty within cybersecurity.

Demand for Cybersecurity Skills Don't Match Reality

As I mentioned before in this article,

In this Information Age, changes are happening at an accelerating rate. There will always be new processes, new technology, new software, new hardware and new information coming in.

The work that you do will always be changing. Your experience will grow along with your work, even in the absence of training and development by your employer.

But there is one problem.

The specific configuration of experiences you gain will be unique to your company only. Since no two companies are identical, no two people with the same job title in different companies will have an identical configuration of experiences. In other words, you, along with many others, have become a unicorn.

This is especially true for technology workers.

Let me quantify the level of uniqueness of modern technology workers. In cybersecurity alone, there are 3,500 different specializations. Let’s say in a typical cybersecurity job, employers are looking for experience in five different specializations. How does an employer or employee realistically narrow it down?

Unless something is done on the demand side to consolidate the number of specializations to a realistically manageable number, cybersecurity skills shortage will continue to be a global issue.

Why are cybersecurity professionals resigning and leaving the industry?

In the cybersecurity industry, there are serious difficulties in getting enough skilled workers. This problem is going to get worse because a large proportion of those skilled workers intend to resign. As this ZDNet article reported,

Cybersecurity leaders are anticipating mass resignations within the year - here's why...

The growing threat of attacks combined with industry skill gaps is leading to sky-high burnout rates among cybersecurity professionals.

As cybersecurity professionals resign, they will pass on their existing workloads to their colleagues who are left behind. This increases the burden on those colleagues, who will then accelerate their burnout rate. That in turn will induce them to resign too, which in turn will pass on the burden to fewer and fewer cybersecurity professionals.

Why are cybersecurity professionals burning out? The reason is overwork. Why are they overworked? The main reason is the nature of the problem that the cybersecurity industry is trying to solve. As I wrote in What do cybersecurity and the Great Wall of China have in common?

Cybersecurity has a similar problem to the Great Wall of China. The nature of the problem favors the attackers disproportionately much more than the defenders...

As we all know, there is a severe shortage of cybersecurity professionals. The defenders of the Great Wall of China needed to dwarf the number of attackers to be effective. The Ming dynasty had to deploy a colossal army of 1 million to do that job. But in cybersecurity, we are nowhere near the relative number of professionals required to defend against attackers.

The cybersecurity industry death spiral

You would expect that this will increase the urgency to hire new entrants into the cybersecurity profession, right? Unfortunately, the existence of the Cybersecurity Gatebreakers foundation shows that the cybersecurity gatekeepers are not budging.

In cybersecurity, we are fighting like the Japanese and losing, we are repeating the same mistake that the Japanese made during World War II. And we know that the Japanese lost the war. In the same war, our cybersecurity industry is going to lose to its adversaries- cybercriminals and hostile nation-states.

In other words, the cybersecurity industry is in a death spiral.

That’s where more cyber security “dead bodies” are going to pile up faster.

Remember those “tens of thousands of bright, passionate, and high-potential people around the world” mentioned by the Cybersecurity Gatebreakers foundation?

These people, although being rejected by the cybersecurity job market, have the skills to be hackers and cybercriminals. In fact, I saw this meme in this Reddit forum:

By not resolving the demand side of the problem, the frustration of these talented and passionate individuals can only grow. The temptation to go over to the dark side can only increase. After all, cybercrime is a good “business”. Even if these individuals do not want to commit cybercrimes directly, cybercrime is now an ‘industry’ of its own, with various levels of division of labor and specialization. These individuals will be tempted to provide grey ancillary services to whoever is the highest bidder, who may be the real cybercriminals and hostile nation-states.

This means that as the cybersecurity industry falls into a death spiral, the cybercrime ‘industry’ will experience corresponding growth. This can only mean one thing: there will be more victims of cybercrime and hacking. In the end, all of us will eventually pay a price for not resolving this problem.

This is a companion discussion topic for the original entry at https://peakprosperity.com/why-cybersecurity-victims-will-grow/

Poaching And Training

I used to work for a company who installed telecommunications systems. They were savvy people who would pay to train their staff, and enjoyed the benefits of an educated and up-skilled workforce. However there was a caveat. Only permanent staff who had to give 2 weeks/4 weeks of notice before resigning were eligible for the training paid for by the company. It was written into their employment contract that should they leave the company within a certain time-frame after completing their training, the cost of the training would be deducted from their entitlements due to be paid out. In my time there, people were trained, but nobody who was trained defected across to the competition.
I think from memory, casuals were allowed to complete training at their own expense, and if they became permanents the cost would be re-imbursed, under a similar new contract of employment.
Everyone benefited - business, employees, customers.
There are ways to increase skills so long as companies are not in a race to the bottom to pay lowest wages/costs and expect best skills at the same time.

Security Is An Mvp

As a former “red team” penetration tester, I made the decision almost 15 years ago to pivot into infrastructure & platform engineering. Security has always been a passion of mine, and I was very fortunate to have been in exclusive circles in the security community, but I found greater opportunities in other tech industry sectors as I realized that most companies do not prioritize security beyond the bare minimum requirements.
This de-prioritization is a real disease, and one that has frustrated me immensely over the years. Corporate leadership in these organizations are only concerned with getting past an audit - often crossing ethical lines in masking security problems instead of devoting effort and resources for remediation.
The fundamental problem that I have observed is cultural in nature - investments in security haven’t scaled with the typical product & feature innovations that most product/service-driven companies value over all else. They treat security and security teams like an unloved step-child, and they view security and tech debt like a toothache that they want no part of.
Like a wise man once said, organizations rot from the top down - not from the bottom up. In compliance-heavy environments, they hire CISSP’s that usually have nothing more than a credential and some intention for resume padding as they work their way up the ladder. Rarely have I worked in an organization that anyone someone a CSO/CISO role that was anything beyond that caliber. We should have been staffing more talent over those with academic credentials alone, because real-world and bleeding edge threats require the front-line passion that these individuals bring to the table.

Same Story All Over Stem

The HR bums can’t write coherent job requirement listings, they’re usually little more than lists of requirement buzzwords. Then the automated resume reader-matcher program can’t find an exact match between any of the 10,000 applicants – just try to tell me each and every one of those 10,000 applicants are unqualified! – and the job goes unfilled.
Or the flip side is that the right candidate with the inside track has already been given an unofficial offer, pending the open advertisement of the position. Then the job listing is generated from the candidate’s resume – “must be left-handed, has five years’ experience with mass spectrometers, fluent in both python and cobol, and an avid triathlete” – and hey presto! the automated resume matcher can somehow only find ONE applicant who meets all requirements.
Same story all over STEM.

This is the story of my entire life.

What’s A Student To Do?

What do I advise my kid to do given that this is his area of interest? He is applying to college, top picks of MIT and Cornell, not sure if either will be more appealing than SUNY Binghamton given the cost and quality. Is he better off studying cybersecurity or another CS field such as computer vision? Or do they all have this issue? Is it worth going to a top school?

The best gift you can give him is NO STUDENT DEBT, so go to an affordable school. Let him choose what to study. I chose Mechanical Engineering, but realised I wanted to write software. I don’t regret that time because it taught me how to think analytically. The subject matter is secondary, and often out of date by the time you graduate.

Let me tell you my experience.
When I was a kid, I was passionate about computer programming. I wanted to do coding, create my own programs, be a software entrepreneur, etc. The natural course of action will be to study computer science at university.
My dad gave me a different advice. Instead of studying computer science, he told me I should study a different field (e.g. finance, economics, engineering, etc) and then use my coding and programming skills to enhance my career in whichever field I am in.
Then the dot com bubble came and it seemed that his advice was wrong advice.
Today, I can see that how prescient his advice was.
Look at the dysfunctional job ‘market’ in the tech industry. Your kid will face this problem when he graduate with a CS degree: he can’t find a job unless he has a specific and narrowly defined configuration of experience that the job requires. But where is he going to find that experience if he don’t have a job that provides that specific set of experiences in the first place? Your kid will face a chicken and egg problem.
This will be the same advice I give my kids: Don’t study IT at university. Do something else. If they love coding or programming, then use that skills to enhance whichever field they are in. I don’t know about America, but in Australia, IT workers have poor working conditions. They are underpaid, overworked, overstressed. They have to suffer all that in the context of no job security. Most IT workers work as contractors or fixed term workers. And their jobs can be easily outsourced to foreign countries or taken over by cheaper migrants.
In other words, IT workers are disrespected and abused. There’s a saying about IT workers: In a recession, they are “first to fire and last to fire”.
I will only change my advice to my kids unless I see these pre-conditions happen:

• the global dysfunction in the demand-side of IT skills are fixed and reformed
• a genuine effort to train, skill and grow tech talent. Something like what Israel is doing: https://www.youtube.com/watch?v=IluKcbamqfk

Of course, there are exceptions. Your kid may find work in an awesome company, or somehow found a lucrative career path working for a Big Tech company at Silicon Valley. But I wouldn't count on that happening.

Correction: "“first to fire and last to hire”.

He did a GenCyber camp in middle school. Enjoyed it, but they told him the penalty for hacking is 20 years in jail. He hacked into the test computer before the instructor was done explaining it. But they scared him so much he was put off cybersecurity, though has renewed interest now.
His older brother studied computer engineering for the reason you stated. He felt everyone was getting a CS degree and was actually quite good at the engineering part. He is a research engineer now and does microprocessor programming, but worked for the same company all through college. This kid is considering doing the same, but has less dexterity which is making him hesitate. He would like to double major in math.
Thank you so much for your perspective. I will definitely check out your website!

He did a GenCyber camp in middle school. Enjoyed it, but they told him the penalty for hacking is 20 years in jail. He hacked into the test computer before the instructor was done explaining it. But they scared him so much he was put off cybersecurity, though has renewed interest now.

That's the reason why I think cybersecurity and cybercrime is going to get worse. If your son is in Israel, he will be cultivated as a talent. Maybe even join the elite military hacking unit. Then after military service, take up elite cybersecurity jobs in the private sector. Here in Australia (and the US), passionate and talented people like your son will have difficulty even finding an entry-level cybersecurity job, thanks to the dysfunctional job 'market'. In fact, clueless HR will complain he has no experience, not enough qualification, blah blah blah. So, a lot of talented young people rejected by the job 'market' will end up in the dark side. They have precisely the skills to be a good hacker. And so, they will end up being hackers. Unlike in Israel, these people will be put to good use.

We are in the US. The US military does offer scholarships for top students, but they have to serve in a cybersecurity role for the government or military for the same number of years. They also sponsor research opportunities for students. I’ve been encouraging him to consider this. He is hesitant to work for the military. It doesn’t have a good reputation and no one is sure what it stands for or who (which party) they will be working for. They associate it with being the aggressor, and using drones to kill people. And let’s not get started about Afghanistan. So they will have to do some selling if they want him. I think he would rather go to state school than have them pay for an expensive school.

I just asked him about it again and he said he doesn’t want to spy on people, and then there’s the whole Snowden thing.

Haha I thought “first to fire and last to fire” was a nice witticism on your corrected statement. Gets across the point that IT folks are getting canned all throughout the belt-tightening process.

Pathetic Wages Result In Weak Workforce

Like several below have rightly commented, the de-prioritization of cybersecurity is a tremendous problem within the IT world right now. I have been working in offensive cybersecurity for 15+ years, and de-prioritization is one of the most common pitfalls organizations consistently fall into. “Oh, we wont be hacked, its only for the Fortune 10”, etc.
A large problem I notice as a result of this de-prioritization is the poor wages with even skilled individuals… it doesnt matter the skill level of a person, if the company isnt able to bill them out at a high rate or the company doesnt see security as a paramount priority, they simply will not be paid well. Much of the skilled portion of cybersecurity right now stays in the contracting / DoD side where the money is good and the jobs are easy. Wake up, America. A cyber black swan is coming…

Speaking as a person who spent a long time in academia up until recently it might not be worth it to go to any university. The quality of education a motivated person can get for themselves using the internet is higher than most courses you would attend in person. The job market is so dysfunctional it wouldn’t be rewarding work even if a job is immediately available post-college. On top of that universities are really, frighteningly, mono-culture at this point.
Young people today are in a tough spot. The best option seems to be motivated self-education and entrepreneurship.

In defense of the manager who wrote the “targeted” job description, with HR rules on diversity and pay levels, etc., as a manager I often wrote formal requests after I’d found a few good candidates to make sure I’d get precisely the people I needed.
Particularly in STEM, both HR and the algorithms are totally useless.

That said, as an application designer, one of the major problems I’ve run into in the last 5-6 years of my career is that trying to paste security on over top of huge, complex enterprise software systems, most of which barely function as is, makes the entire system unusable, especially as large organizations try to move apps to the cloud. We put out security updates to VERY small test groups. More than half the time, we’ve had to roll them back because the system became non-functional - example two factor authentication was supposed to happen ONCE in the morning. Instead, it popped up every time the user switched programs - oops back to the drawing board.
The issue is ancient software (microsoft, SAP, …) has huge holes and enterprises have made functionality worse by cobbling together not-quite-compatible programs and hardware into systems that require continuous maintenance and can’t be easily updated.
The problem is, security has to be the backbone of any system, not the add on. When you paste a band aide on the leaking artery, things get worse quickly. The systems are less secure and productivity is decreasing.

Perhaps Also The Wrong Team Model

In a smaller IT department, we discovered an apprenticeship/assistant model. We found the best tech people spend much of their time on administrivia and tasks that could have been delegated (some times to a trained monkey). Tech people are often encouraged to be head down to the screen and not given the opportunity to do knowledge transfer and mentoring of new staff. We started with interns from the local college and let senior staff use them as direct assistants. Our developer learned to mentor and we had a new, entry level hire that already knew our internal systems. We learned to split work by level of complexity, with senior staff monitoring the the simpler work. The Agile trend often pushes organizations to think they should form IT teams of equals,. In fact the OLD model of a team with a master, journeymen and apprentices is actually more efficient and effective turning out work AND it solves the pipeline problem, as you can make effective use of less experienced staff while leveraging the time of your most skilled.
A major problem in smaller to midsized IT shops is that managers want to hire one person to do two jobs, because they think they can’t afford two FTE. Often those two skill sets are incompatible - programmer/analyst for example is an oxymoron. Not only are they different skill sets, but they require different innate capabilities. So, we tried to convince our HR department to allow us to hire two part time people (would be a great job for moms with small kids). The excuses as to why NOT were overwhelming, but it really came down to was HR never did it that way and there was no policy for part time professional positions so it would require a Board of Directors directive to change. In short, corporations have been making mistakes with how they hire and organize professional employees for decades and those dysfunctional ideas are now entrenched in business policy. Computer security professionals are just the tip of this iceberg. HR has destroyed corporate ability to appropriately deploy their human resources.

In a smaller IT department, we discovered an apprenticeship/assistant model. 

By coincidence, this was the idea I had this morning! I notice that in many companies, there's always one IT guru that get piled on more and more responsibilities until that person becomes a central bottleneck with all the institutional IT knowledge inside his head. We joked that if that guy ever gets knocked by the bus, the entire company is screwed. I came upon this idea literally this morning that the proper way to run organisation's IT is to get one or more junior persons to follow and assist that bottleneck senior IT person and for more and more work to be delegated to that junior person(s). Over time, those junior person(s) will accumulate knowledge and experience. It will have reduce the risk of the organisation because if the knowledge and skills is spread around, then the organisation will not be screwed if that senior IT person get knocked by the bus. Unfortunately, this better way is not adopted because organisations don't think ahead and it is cheaper and more convenient in the short term to run it that way.