Tag: education

IT security staffing shortage? Nonsense.

From Codas to Coding

Many years ago I was a kid living in the Raleigh area and I met a music teacher who was leaving her job to go work for IBM as a programmer. I asked whether she had any programming background and she said no — but IBM was going to train her. She said IBM was recruiting new talent into the software field and wanted folks that could handle some math and logic, and to their thinking, music majors fit the bill for them. They were going to provide months of training and bring this music educator up to speed with new skills and then use her to create software for IBM.

That’s how you solve a lack of skills in your industry: you find people that are smart and trainable, and you train them.

The So-Called Security Skills Crunch

These days you can’t swing a dead cat around without hitting a hand-wringing or cheer-leading security industry article talking about:

Well that sounds good to me! I’ve been doing IT security work for years as part of my various IT infrastructure, project, and management jobs. I work with firewalls, VPNs, networks, servers, directories and so forth all the time. I’ve been a HIPAA Security Officer in the healthcare sector. I’m gonna be rich!

So… where’s my big fat check?

Reality of Corporate Attitudes Toward Security

The truth is corporations really don’t like security and they aren’t hiring nearly as much as the salary surveys and feel-good security industry articles would have you believe. To most corporate leaders, IT security feels extravagant and wasteful: “Why would I hire even more people to not produce anything marketable?” Even worse, more security slows productivity for those that actually are generating marketable goods and services. And to guys in the C-suite, it’s painfully boring to boot — whether it’s endless policy discussions or technical reviews, it ain’t sexy or fun.

The data breach explosion and the corresponding breach fatigue come from these corporate attitudes: that security is boring, too expensive, and anti-productive. Corporations that get “hacked” — like Target, Home Depot, the USPS, your local hospital chain — aren’t getting taken by brilliant mastermind super-villains with supercomputers. They’re getting their data splattered across the Internet because they’re lazy and cheap.

It’s Not Good to be the King

king

All that said, I feel for these corporate leaders. They’re living through a Catch-22 situation. Since they haven’t yet spent any attention or money (to speak of) on security, their only internal line of defense is a socially-inept neckbeard who’s answer to every threat — no matter the real risk — is “lock it down” and scold everyone for being so foolish. When that proves fruitless and frustrating they turn to outside security consultants, who cost them a fortune, but who cannot — no matter how much you pay them — force your company to develop and follow better policies or allocate capital or operating budgets to really, truly solve the most pressing security problems.

If you’re a CEO or COO or even if you’re the CIO, most likely you’re better at politics than policy, and you simply don’t know how much to spend in cash or attention to solve enough of your security problems to be helpful without spinning off into infinite expenses.

Security, at the policy and prioritization level, is damn hard. Someone needs to be smart enough on the tech and the business, but have enough political pull to guide changes in daily behaviors throughout the organization. That’s a really rare combination of skills and political powers.

So About That Hiring Problem…

Yep, the situation stinks for the CEOs, CIOs, and other leaders. But the fact remains that they need good security techs and security policy wonks, and they need to keep them moored to the reality of the business and market while also funding their work to a sufficient level.

Given the Breach-a-palooza we’re living through, clearly there’s not enough hiring going on for security-minded people, and security is not part of most companies’ core cultures. But let’s assume that changes. Let’s assume businesses want to get rolling with security-minded hiring. How do they find the talent?

Create it.

Because the Catch-22 that’s stopping businesses from hiring also creates a Catch-22 for potential candidates. Companies that do start hiring security people slap on all kinds of prior-experience and certification requirements. If you’re a candidate with limited or even tangential-but-relevant experience… too bad, chump. You’re not a CISSP? HR’s resume-scanning software will kick out your resume before you even talk to anyone. You haven’t been doing IT security work in a dedicated security role for the last 10 years? Don’t bother applying.

Welcome to the Catch-44

catch22

I’ve seen this before:

  • the software company that wants to hire coders with 10 years of Java experience when the language was only 7 years old
  • the marketing group that wants 5 years of social media experience only 3 years after Facebook opened to the public
  • the certification group that wants you to prove you have industry experience before you sit for the test, but you can’t get the experience without the cert.

This is what I call the Catch-44: companies that can’t hire for security because they’ve never hired for security and are scared to start, and candidates that can’t get security jobs because they haven’t done security work in the past. Employer Catch-22 + Candidate Catch-22 = Catch-44.

Someone has to make the first move here.

Investments Are Made by the Guys with the Capital

So here’s the deal. Companies are the ones with something to lose. They’re the ones traded on the touchy risk-averse stock market. They’re the ones with the deep pockets, funded by tax breaks and 10+ years of depressed employee wages. It’s their responsibility to foot the bill and break this Catch-44 logjam (to mix metaphors).

Follow IBM’s lead… from the late 80s. Hire the music teacher with the raw skills and train them. Only this time you can actually hire experienced IT folks who’s jobs are being outsourced and automated anyway. Move them “up the stack” into security work.

The training is out there, ready to be absorbed. The policy frameworks are out there. Start making the investments.

And until we see real investments in the field by the incumbent businesses, I don’t want to see another “security staffing shortage” article, mmmkay?

Should public media make Education its mission?

UPDATE: I added some comments about what “education” means to me at the bottom of the post.

O'Reilly RadarAn interesting new article was posted last week that caught my eye (thanks to @kevintraver):

A More Public Role for Public Broadcasting: Education
by Dale Dougherty / O’Reilly Radar

The gist of the article seems to be that public media — though Dougherty focuses almost solely on public TV — should use it’s ample broadcasting bandwidth to focus on educational content, from traditional kids programming up through lifelong learning and civics topics. Using TV is considered better than using the web for accessibility reasons (which broadly makes sense given the cost of broadband in this country).

While I like the idea in broad strokes, I think Dougherty is missing a lot of insider knowledge of the industry as it exists today and how it’s funded. So I submitted a comment to the site that goes like this:

This is a nice idea that will never happen. At least not without a huge change in direction for public media and government (i.e. voters).

Whether or not education / lifelong learning was in the 1967 PBA is now irrelevant. Public media institutions have drifted far from education over the years and aren’t coming back. Why? Because education doesn’t make enough money to be self-sustaining. Which is why taxes pay for schools and students pay for college.

With all due respect to Mr. Lippincott and other former colleagues in public TV, let’s get real. PBS’s best work is done in children’s programming and it’s marginally educational. The only way it’s strongly educational is with deep parental involvement (rare) or direct classroom tie-ins in schools (limited for political and time management reasons).

To make the Education mission a reality in public media, taxpayers would have to agree to foot the bill of perhaps $1-2 billion annually. That would be cheap for what we could get, but not likely. Further, it’s becoming very clear that education via online video and other means is exploding and to do this work via TV is anachronistic if not downright wasteful.

The short-run plan for PBS: keep doing what it’s doing until it collapses financially (by 2015, I’m betting). Once that happens, the children’s programming will remain in a reformatted PBS, the news content will go to a reformatted NPR, and WGBH will gobble up the rest and become a national superstation.

If, on the other hand, you consider quality news a form of education (which, in truth, it is), then you’re talking about NPR for the most part, and they’re the shining hope for public media.

I’m big on having a bold mission, articulating it and making meaningful community impacts. But my take is that well-done news that intelligently informs the electorate in times of turmoil (say, the next 25 years) is more supportable and more meaningful than trying to take on the education monster, in which everyone has opinions of what should be done but no one is really in charge and everyone is underfunded.

UPDATE 14 Oct 2009 2:30am EDT

After a Twitter exchange with @MarkRyanWFWA (follow him!) I realized that I may be defining “education” more narrowly than others would like.

For me, education is a fairly systematized approach to providing information and then following up to ensure the information was understood and can be practically applied. So when I say public media should not adopt education as its primary mission, I mean it. I just mean it in my own way.

Of course, “public media” can even be debated as to its meaning. In it’s largest sense it means creating / curating / sharing media in service of a public good. That’s great, but I do think for practical reasons we have to sharpen our missions much more than that. To me, that means news and information aimed at already-educated (to some degree) people to allow them to live their lives more successfully and make decisions as citizens that have positive impacts.

Education is definitely a public good. I just don’t think public broadcasting, as it moves to public media, should focus exclusively on that mission.