People Development: The Solution to the Infosec Skills Crisis

There has been a lot of talk recently about the immediate dire need for skilled information security professionals. Maybe it is not just talking. Maybe there is a huge skill need, but when you begin to dive past the surface of the problem you find that what people say they want or need and what they likely really need don't match.

A simple review of the blind recruiting requests I receive on a daily basis says that employers are looking for some very distinct technical roles within their organizations but they seem to only want very talented and experienced practitioners. Even the mid-career positions of Security Analyst or Security Operator descriptions I've seen lately are littered with very specific tool mentions, very specific task experience requirements.

"Must have experience with the following: MagicFire Threat Detection; SkyPower Vulnerability Manager; BlackStar Network Detection... blah blah blah"

Then it continues on with a laundry list of tools and widgets, buzz words and marketing fuzz. Is this really what we want to say to potential hires? Is information security a job that can be whittled down to a series of dials and knobs? I'd argue it is not.

Information Security is a strange job field. It takes a very broad spectrum of skills, talents, experiences and happenstance to make a great security practitioner. Good practitioners can be grown, but they can't be generated on an assembly line. Don't mistake my perspective on this as subscribing to the "Security Unicorn" or "Special Citizen" view of security staff. We can't crank out security practitioners because security at all levels is as much art as science.

We can train people to understand concepts. We can train them to follow a process, monitor reports and even exploit our weaknesses and vulnerabilities, but we can't give them the capability to understand the complex interactions of people, policy, and systems that encompass the depth and breadth of security threats day one. This takes time. This takes mentoring. This takes work.

So how do we grow new talent?

Developing the next generation of security experts requires that we abandon the concept that we are different, special or unique in our vocation. Most if not all of the best security practitioners I've been lucky enough to work with or speak to across all the industries did not start fully formed as information security practitioners. They began as something else - business analysts; auditors; help desk specialists; network engineers; application developers... the list goes on and on. None of them were Security Experts in their first job, but that said, ALL of them had security tasks day one.

Providing our consumers with experts will require those of us who are already seasoned to change our own approach to building and running our security teams. We learned organically, through experience, opportunity and mentoring. Now it is time to do the same for those who will augment and eventually assume our roles. We need to stop providing a list of tools to our HR and recruiting partners and begin to talk about capabilities, skills, and experiences.

This makes the process harder for EVERYONE, but think of how it will pay off. We find candidates who can add capability but they also can learn. They may not be good "Day 1" but frankly no one is - even if he or she know the tool you expect them to use - I almost guarantee you use it differently than their last employer, or if you don't then the company culture is different and they have to learn that as well.

Recruit from within first

We need to recognize that the most effective security team members represent their value through their understanding of the company and its culture. We can't buy that from the outside. We have to inherit it from within.

I'm not proposing you poach or steal people from your peers, but you should be actively working to cultivate new talent across the business who can move into a security role or better support their current organization by expanded understanding of Information Security. We can't continue to treat our function in the enterprise as a silo. Security, as we all spout endlessly when we want attention, is EVERYONE's responsibility.