IT security staffing shortage? Nonsense.

itsecurity

From Codas to Coding

Many years ago I was a kid living in the Raleigh area and I met a music teacher who was leaving her job to go work for IBM as a programmer. I asked whether she had any programming background and she said no — but IBM was going to train her. She said IBM was recruiting new talent into the software field and wanted folks that could handle some math and logic, and to their thinking, music majors fit the bill for them. They were going to provide months of training and bring this music educator up to speed with new skills and then use her to create software for IBM.

That’s how you solve a lack of skills in your industry: you find people that are smart and trainable, and you train them.

The So-Called Security Skills Crunch

These days you can’t swing a dead cat around without hitting a hand-wringing or cheer-leading security industry article talking about:

Well that sounds good to me! I’ve been doing IT security work for years as part of my various IT infrastructure, project, and management jobs. I work with firewalls, VPNs, networks, servers, directories and so forth all the time. I’ve been a HIPAA Security Officer in the healthcare sector. I’m gonna be rich!

So… where’s my big fat check?

Reality of Corporate Attitudes Toward Security

The truth is corporations really don’t like security and they aren’t hiring nearly as much as the salary surveys and feel-good security industry articles would have you believe. To most corporate leaders, IT security feels extravagant and wasteful: “Why would I hire even more people to not produce anything marketable?” Even worse, more security slows productivity for those that actually are generating marketable goods and services. And to guys in the C-suite, it’s painfully boring to boot — whether it’s endless policy discussions or technical reviews, it ain’t sexy or fun.

The data breach explosion and the corresponding breach fatigue come from these corporate attitudes: that security is boring, too expensive, and anti-productive. Corporations that get “hacked” — like Target, Home Depot, the USPS, your local hospital chain — aren’t getting taken by brilliant mastermind super-villains with supercomputers. They’re getting their data splattered across the Internet because they’re lazy and cheap.

It’s Not Good to be the King

kingAll that said, I feel for these corporate leaders. They’re living through a Catch-22 situation. Since they haven’t yet spent any attention or money (to speak of) on security, their only internal line of defense is a socially-inept neckbeard who’s answer to every threat — no matter the real risk — is “lock it down” and scold everyone for being so foolish. When that proves fruitless and frustrating they turn to outside security consultants, who cost them a fortune, but who cannot — no matter how much you pay them — force your company to develop and follow better policies or allocate capital or operating budgets to really, truly solve the most pressing security problems.

If you’re a CEO or COO or even if you’re the CIO, most likely you’re better at politics than policy, and you simply don’t know how much to spend in cash or attention to solve enough of your security problems to be helpful without spinning off into infinite expenses.

Security, at the policy and prioritization level, is damn hard. Someone needs to be smart enough on the tech and the business, but have enough political pull to guide changes in daily behaviors throughout the organization. That’s a really rare combination of skills and political powers.

So About That Hiring Problem…

Yep, the situation stinks for the CEOs, CIOs, and other leaders. But the fact remains that they need good security techs and security policy wonks, and they need to keep them moored to the reality of the business and market while also funding their work to a sufficient level.

Given the Breach-a-palooza we’re living through, clearly there’s not enough hiring going on for security-minded people, and security is not part of most companies’ core cultures. But let’s assume that changes. Let’s assume businesses want to get rolling with security-minded hiring. How do they find the talent?

Create it.

Because the Catch-22 that’s stopping businesses from hiring also creates a Catch-22 for potential candidates. Companies that do start hiring security people slap on all kinds of prior-experience and certification requirements. If you’re a candidate with limited or even tangential-but-relevant experience… too bad, chump. You’re not a CISSP? HR’s resume-scanning software will kick out your resume before you even talk to anyone. You haven’t been doing IT security work in a dedicated security role for the last 10 years? Don’t bother applying.

Welcome to the Catch-44

catch22I’ve seen this before:

  • the software company that wants to hire coders with 10 years of Java experience when the language was only 7 years old
  • the marketing group that wants 5 years of social media experience only 3 years after Facebook opened to the public
  • the certification group that wants you to prove you have industry experience before you sit for the test, but you can’t get the experience without the cert.

This is what I call the Catch-44: companies that can’t hire for security because they’ve never hired for security and are scared to start, and candidates that can’t get security jobs because they haven’t done security work in the past. Employer Catch-22 + Candidate Catch-22 = Catch-44.

Someone has to make the first move here.

Investments Are Made by the Guys with the Capital

So here’s the deal. Companies are the ones with something to lose. They’re the ones traded on the touchy risk-averse stock market. They’re the ones with the deep pockets, funded by tax breaks and 10+ years of depressed employee wages. It’s their responsibility to foot the bill and break this Catch-44 logjam (to mix metaphors).

Follow IBM’s lead… from the late 80s. Hire the music teacher with the raw skills and train them. Only this time you can actually hire experienced IT folks who’s jobs are being outsourced and automated anyway. Move them “up the stack” into security work.

The training is out there, ready to be absorbed. The policy frameworks are out there. Start making the investments.

And until we see real investments in the field by the incumbent businesses, I don’t want to see another “security staffing shortage” article, mmmkay?