Is there really a cyber skills shortage or are we all wasting time?
My mum used to tell me: ‘You can’t say you’re hungry if you won’t eat a piece of fruit.’ I think that’s why she never made it as a chef.
I was hungry and I didn’t want fruit. And I was 28 years old. But it’s a useful metaphor, so let’s run with it. The idea is that you can’t complain about a problem if you haven’t exhausted all of the available options to fix it.
I wanted to apply this idea to the ‘skills shortage’ in cybersecurity that we hear so much about. Much has been written about the need to hire better and widen access to the industry to fill that shortfall. But the idea that there is a shortfall that can only be fixed by hiring is taken for granted, without questioning whether the shortfall is really as bad as is claimed.
We supposedly need 3 million more people in our industry - a 65% increase. Is that really true? Do we genuinely need 3 million more people to be able to do our work? Or are we failing to use other means to fix the problem?
If the cybersecurity industry is actually hungry, has it tried to eat fruit?
A note on numbers
There are several studies that publish workforce shortage estimates, but - of those that are transparent about their methodology - they are largely based on surveys. Which is to say - the studies are based (in one way or another) on asking cybersecurity professionals whether they think there is a gap. I see two potential issues:
It might be more accurately described as a perception of a skills shortage. That’s an important distinction - if we state it as absolute fact, the obvious solution is to hire more people. But if we consider it as a perception, we can think more carefully about where the problem really lies.
There is a risk of the skills shortage becoming a self-fulfilling prophecy, or at least a self-inflating prophecy. If a group of people are constantly told that a problem exists, that there is research proving it exists and that it is making their lives difficult - then they are likely to agree that the problem exists when asked.
Are existing cyber security personnel being applied effectively and efficiently?
In the last 9 years I’ve probably worked in or with at least 50 different cybersecurity teams. Some of them were very good, some of them were not. Some of them made me question how the human race has survived for this long.
All of them had one thing in common - they were doing pointless work. At least one person was spending time on a task that provided absolutely no value. Most often, the majority of people were spending a lot of time on lots of pointless tasks. In extreme cases, individuals were spending all of their time doing work with no discernible benefit.
Here are some examples of those tasks:
Meetings where nobody learned anything and no action was agreed. Normally these are ‘recurring meetings’.
Tasks that are done mostly to tick a box, such as:
Creating documentation that nobody will ever read.
Doing risk assessments when there is no possibility of anyone ever following up on the outputs.
Certification-related Administrivia (a word contributed here by someone much more intelligent than me): Various inane bits of admin done under a mistaken belief that they somehow resulted in compliance to ISO27001.
Almost anything to do with a spreadsheet. But especially spending hours reconciling data from multiple sources that should talk to each other but don’t and then using the outputs of that exercise for absolutely nothing.
Most cybersecurity professionals could add a thousand items to that list. In fact, I think anyone reading this article could immediately give me 3 examples of similar pointless work in their own organisation.
And yet, we keep hearing that our industry is 3 million people short. So why do we accept it? Why do we keep doing it?
My challenge to anyone responsible for managing a security team is this: before you make your next hire, spend some time looking at every single task your team does. Think about what the new person will be doing and what the impact on your organisation’s cyber security programme is likely to be. Eliminate the pointless work and ask yourself if you still need to hire.
Not hungry or refusing to eat fruit?
There is plenty of research evidencing a skills shortage in cybersecurity. Much of that research - for example, that done by the British Government (which in 2020 launched a campaign to make ballerinas retrain and work in cybersecurity as a punishment for being involved in the arts) - I expect was very robust.
We have to contextualise the shortage as being based on our own perception. Yes, there are things we should do to bring more people into the profession (for a start, improving access to the profession, committing to training people and having sensible requirements for entry-level positions). But we also have to be brutally honest with ourselves about whether we’re doing everything we can to make the most of the people we have.
Our first response to feeling like we don’t have enough time to secure our organisations should be to make sure the work we’re doing is useful, not to hire more people. Let’s eliminate pointless work, build an industry where everything we do makes a legitimate contribution to making us more secure and genuinely challenge ourselves to justify our hiring decisions.
Maybe we are genuinely hungry, but let’s eat the fruit first to see if it helps.
The views expressed in this article are the views of the author and do not purport to represent the views of 3Factor.