Solving the Tech Skills Gap at Your Local Coffee Shop
[Music]
i’m a hacker
it’s true have been all my life since my
youngest days when i took apart my toys
to figure out how they worked
to my pre-teens when i bought my first
computer and hacked a dial-up
community service to the last 15 years
of my career
which i’ve spent helping organizations
secure their computer systems
my like many of us in technology though
my path through security
has been more a result of a series of
serendipitous events
than any carefully laid out career plan
in fact
my ability to go from a pre-med major
with dreams of being a surgeon
to a software programmer was really more
the result
of a hiring manager who saw how the
skills that i had developed in
other industries would be valuable
assets to developing banking software
so i find myself wondering quite often
do how many hiring managers have this
same wisdom
how many of them could take a barista
from a local coffee shop for instance
and see how their skills relate to a job
in
security now if you follow technology
news and in particular
around security you’ve no doubt seen the
headlines
talking about the supposed skills gap or
talent shortage
cyber security this industry that’s
focused on ensuring
that the digital systems that run our
very lives
are protected from attackers who would
seek to
destroy them or to manipulate them
struggles to find the talent that we
need to fill those jobs
in fact some estimates say there will be
as many as four
million unfilled jobs at the end of this
year
and yet when i talk to people who are
trying to launch a career in cyber
security
they tell me that even after they get a
degree
maybe an industry certification maybe
even demonstrate practical skills
that they can’t find these jobs
i sense this dissonance between what i
was hearing from hiring organizations
and what i was hearing from those people
who are trying to start their careers
and so in 2020 i set about to try to
find some answers
i surveyed thousands of aspiring
and experienced cyber security
professionals
i interviewed countless hiring managers
and recruiters
i even looked at job descriptions that
were available online
all with the intent of trying to figure
out what was going on and causing this
disconnect
the reality of what i found is that most
of the problems we have hiring in
technology
are self-inflicted a result of
unrealistic expectations
that have created an unsustainable
workforce model
so let me share with you some of what i
found in my research
and some ideas for what organizations
can do to start to address this problem
initially my research was focused on job
seekers
i thought if i could just figure out
what it is that they’re doing wrong
i could find some solutions for them and
help them overcome
so one of the key questions on the
survey was about their job search
experience
and while maybe the experience of those
aspiring professionals isn’t so alarming
it’s what happens with experienced
professionals
that makes my research more poignant you
see
two-thirds of aspiring job seekers
will spend four months or more looking
for that first job
again maybe not surprising it’s
entry-level jobs
but remember this is an industry that
says it has 4 million
unfilled jobs however when it comes to
those experienced professionals
with demonstrated expertise they
too 56 of the time will
spend four months or longer
looking for a job and when i asked both
groups
what the obstacles were that stood in
their way the overwhelming answer was
bad
job descriptions so i looked at job
descriptions and what i found was a
disturbing
pattern of behaviors i saw
internships that specified a requirement
of three
to five years in the industry
entry-level positions that called for
the candidate to have
a certification that is only issued to
somebody
with five or more years of experience
i even saw job descriptions that called
for
10 years of experience in technologies
that only
existed for six
and in reality these aren’t exceptional
edge cases
these are the majority of the job
descriptions out there today
and as i struggled with why is this
happening it was one job description
in particular that stood out with some
answers
you see this job description went on for
three pages describing an intricate
detail all of the various
responsibilities of this particular
role and then subsequently the
mountainous almost impossible number of
technologies
that the candidate would need to have
expertise in
who’s this unicorn that’s going to file
fill a job like that
taking a more methodical look at job
descriptions i found that
91 of cyber security jobs
require a degree and at minimum
one industry certification i broke that
down further looked at entry level
71 of those entry level jobs
had requirements of three or more years
experience
and a cissp or equivalent certification
let me add some context for you about
this cissp
it stands for certified information
systems
security professional it’s a cyber
security degree that’s
issued by a non-profit training
organization called isc squared
this certification requires not only
passing a stringent exam that covers
all of the domains of cyber security it
also requires that the candidate
have a minimum of five years in security
related
job roles isc squared in their annual
workforce study
for 2020 estimated that there’s about
2.8 million
cyber security professionals in the
world
however according to statistics on their
website
as of october 2020 only 142
000 of those professionals had a cissp
degree
or a certification that’s only five
percent
do you see the issue
there lies the problem we hire in
technology
our job descriptions in an effort to
form objective criteria
focus deeply on minutia while missing
the bigger picture of what makes a
candidate successful
our job descriptions are hyper focused
on defining
all of the technologies that we use in
our organizations
and then finding candidates who can come
in immediately and
expertly configure develop optimize and
deploy those systems
without any form of on-the-job learning
perhaps that’s valid if you’re hiring
for a senior level position
but when that standard is applied across
all of our roles
that’s simply not sustainable
cyber security for its part operates
under this flawed set of expectations
that we’re going to somehow be perfect
in defending
all of our systems
that’s just not realistic and it leads
to unrealistic hiring practices
indeed as i look at the job descriptions
and i talk to those hiring managers
there’s this prevalent belief that
anyone hired into a cybersecurity role
must already come in with existing deep
expertise
in technologies and techniques that will
be used
in that role you don’t see this in any
other industry
doctors for instance go through years of
a structured progression
of on-the-job learning and they’re
responsible for human lives
plumbers electricians other skilled
trades they go through years of
apprenticeship
to learn their craft on the job
so why don’t we apply this same approach
when it comes to cyber security
the sad truth for security is that our
success is not based on technology
expertise
that’s not even a primary factor
it’s the strength of our problem solving
skills that makes us successful in cyber
security roles
and to that end we need a community of
diverse people with
varied backgrounds and ideals
and experiences who can bring that to
bear
and help augment our problem-solving
capability collectively
so when we hire for these positions we
need to stop focusing on
deep technical expertise in very
specific technologies
and instead focus on the skills
that i refer to as core
transferable skills the skills that
transcend
any individual industry
let me share with you an example of what
i mean
over the course of my career i’ve had
the opportunity to build many successful
teams
and it was while i was leading the
consulting organization
for one particular company that i
received a resume
from a gentleman who had no technology
experience whatsoever
he had worked mostly in retail but his
resume indicated to me
that he had a strong passion
for technology and a deep hunger
to learn cyber security
as i looked at the rest of his resume i
saw that he had a couple things that
stood out
first was his customer service skills
the ability to empathetically
understand your customer and to
communicate with them in a way that’s
meaningful to them
is a crucial skill that we wish more
insecurity had today
additionally he talked about how he was
able to innovate and problem solve
when he was faced with issues that
affected the delivery of products and
services
specifically he talked about a time that
he identified an
issue in their inventory processing that
was
impacting their return system
it’s that ability to see the
relationships between disparate systems
to see how seemingly unrelated processes
can
impact one another that’s crucial and at
the foundation of
any good cyber security professional
and this model holds true when we go
back to our barista example from earlier
think about it baristas are called upon
to process
multiple inputs from various sources
very quickly
and to turn those into tasks and to take
those tasks and prioritize them
and execute them in the most efficient
way possible
and on top of that they also have to
plan and execute maintenance activities
this is a crucial
path that cyber security professionals
go down every day it’s something that we
do
all the time now of course this isn’t to
say that every barista
or retail employee is going to make a
good cyber security professional
however in this case i was able to keep
my mind open
and after i verified that he had the
technical aptitude
and the hunger to learn i brought him in
for an interview
i ended up hiring him and he’s been a
very successful candidate
ever since this is the way we need to
start hiring
in our industry we need to look for
those crucial skills
and then seek to build our employees
to make this vision happen organizations
have to renew their commitment to
developing their people
you see isc squared in their workforce
study tells us that the
two primary influencers on success in
cyber security
are on the job learning and a structured
training program
however they also found that while 81
percent of security professionals said
they needed more training
only 46 of their organizations were
planning to actually increase
expenditures on that training
this is a disconnect that we as leaders
in this space need to take more
seriously
now while organizations do have their
part to play
there are things that aspiring
professionals can do today many in the
industry will tell
those aspiring professionals that they
should seek a mentor
or get a degree or get certifications
but according to my research i found
there was no correlation between those
activities and a shortened job search
so while those activities are valuable
for professional development
they aren’t necessarily going to help
you find a job any faster
i suggest that people be more creative
in how they demonstrate
their skills many of my peers will tell
people they should do
individual research and and build labs
and work in those spaces and learn the
craft
and that’s great those are good ideas
except that they don’t translate well to
a resume
so i say they take it to another level
create blogs
video content other online content
demonstrate their mastery by creating
this instructional content that
can be used across the industry
it’s far easier and more credible to
demonstrate your skills as an online
content creator
than some less tangible self-study you
did
for those that can manage it i even
suggest that they reach out to
local small companies and non-profits
that likely need some help with cyber
security anyway
and offer to do projects for them on a
reduced rate or
pro bono basis again those are
experiences that translate more easily
to a resume
but this is all just band-aid solutions
and we really need organizations
to become part of addressing this
disconnect
in order to fix the problems that we
have hiring in
technology and insecurity part in
particular
we need to renew our focus on those core
transferable skills
that are the truest measure of candidate
success
organizations need to be active players
in addressing the unrealistic job
descriptions and
expectations in hiring they need to take
meaningful
action to create a more sustainable
workforce
we as leaders in technology have the
opportunity
to help address this issue by
recognizing
that hidden connection that exists
between a great
cup of coffee and a great cyber security
defender
thank you so much for your time
you