Security is a tough domain, requiring years of study, a certain rebellious yet protective spirit and Sherlock Holmes-like instincts. Or is it? We have an archetypal image of the ultimate security practitioner, yet we lament both the difficulty of finding these security unicorns and the lack of diversity in our industry. Even when we lower our expectations and look for the proto materials for future unicorns, we still collectively see only a talent gap with fears of 3.5 million jobs being unfilled. But what if it didn’t have to be this way?
At RSA Conference, I found an emerging perspective taking shape that there might not actually be a “Talent Gap.” The talent gap could be a self-fulfilling prophecy or at the very least an avoidable consequence of security’s red hot growth. It’s worth looking at the flip side briefly before we complain again about the scarcity of talent.
What started as an esoteric field is becoming even more arcane as we grow, and as we mature. Management, HR, development, testing, operations and academic communities within our companies are reinforcing this. We’re also in many cases living lives of drudgery in security as small teams try to keep up at machine speeds in complex IT environments. As icing on the cake, the reward for someone who decides to take the management track is often burnout. Although frankly, burnout is high for many in security without having to move into management!
At some point that I haven’t quite figured out, we went from a genuine talent gap to a situation where we aren’t participating in our own rescue and are making the situation worse. What will it take to get this right going forward? Here’s my take:
- User-centrism in two key areas:
- Process optimization and waste elimination may sound old school, but it makes sense. Make lean processes to support the goals of cyber functions.
- Design user experience and interfaces to maximize the time and efficiency of the user on the tasks of security as opposed to the tools of security while avoiding the problems of Leaky Abstraction. As I mentioned in Crystal Ball, it’s time for security’s developers to pay attention to how real users behave. While we’re at it, let’s adopt the Agile Manifesto when servicing those user interfaces.
- Organizational management and instrumentation is critical, stretching from how we organize people and train staff through measuring key metrics. Let’s not bayonet the wounded but rather empower them with logistical changes.
- User-centrism in two key areas:
- Build healthier cultures that widen the net and then accommodate all:
- Increasing diversity in all dimensions: educational background, gender, ethnicity, culture, faith and more. This is a tough one but reach out to communities you don’t normally, increase the size of your recruiting candidate pool and make sure you have diverse leaders in interview processes.
- Encouraging a cultivation, consensus and/or expertise oriented culture and values. No rewards for unassailable, always right gurus. We want humility, reward for learning, encouragement of showing the work and a belief that anyone can do the job.
- Get Agile in security, from engineering-for-security to using Agile in SecOps, not just the trappings of Agile (i.e. don’t just claim Agile because of sprint cycles or retrospectives).
I’ve just scratched the surface, but I think if we earnestly follow these recommendations, we will close the Talent Gap, will participate in our own rescue and will make things a lot more fun in security.
If I’m wrong, the above sounds worth doing anyway!