Back when I was working in Animal Control for the city of Lake George we had a saying: “only the people who really love animals should work in animal control.” And I feel the same about cybersecurity.
We had this guy, I’ll call him Anthony for no reason at all, and man he got frustrated with those animals. One night I get this call over the radio that the shelter is in lock down. So, I race over there and Anthony is freaking out! He didn’t know raccoons could open latches and they escaped the enclosures and opened up a bunch of others. There were raccoons everywhere!
Anyway, while he was trying to get them back in cages, they of course kept getting out. The more they resisted the more frustrated he got, and the less control he had over them.
The problem is that for him, it was just a job. He didn’t love animals and didn’t love what he did. And it showed whenever something didn’t just work out for him. He would get frustrated and he’d lose control over the whole situation.
I think to this day he absolutely hates raccoons. I don’t get it. This story was about Anthony, not me.
So, what do you think happens when you hire somebody to work in security who doesn’t love their job? The same. The more things don’t work out, the more they lose control over the situation. That is not someone you want working cybersecurity. You don’t need some Anthony in there when breach time ticks.
Back in 2001 I ran into this problem when starting a cybersecurity team for a bank I refuse to give any free marketing to. The bank wanted to hire internally, so we sent the message out and fielded about three dozen applicants from all areas, some not even IT. In the end I took four: a programmer, a systems admin, a new college hire with a degree in Telecommunications, and a guy who worked in marketing. Why? Because they were the most resourceful.
How security works doesn’t change. Well, it does, but really slowly because few people are actually researching what makes security be security, although there’re many people researching what makes something be a risk.
Secondly, we aren’t even close to reaching the tipping point where we know so much about making security that everything else just falls in place. This was even more so in 2001. So, I knew we could teach people what makes security, but we couldn’t teach them to be curious, interested, or to just love it.
To hire people, I created this thing called the Jack of All Trades. It contains multiple scenarios to role-play of various industries and career types that are not security. By letting the candidates answer from the perspective of these other careers we could examine them for all the things you’d want from a security professional or a hacker: resourcefulness, creativity, knowledge, curiosity, alacrity, and empathy.
So for example, in Jack the Postman, you are a postal carrier for an independent express postal service. You have a book-sized package to deliver.
And that’s just one of ten scenarios which include Mechanic, Building Inspector, Soldier, Thief, and even Record Store Owner. It’s pretty thorough. You just pick the scenario based on the relation to the tasks involved and observe the candidate. Tell them they have one minute to answer but give them two just to be realistic.
I remember we had this one guy we interviewed, I’ll call him Anthony again for no reason at all. No relation to the other one. He was a developer and he knew networking inside and out. He was smart. But when he couldn’t answer one of the questions he also had no desire to hear possible solutions. He just gave up on it. No curiosity. No alacrity. No love.
We ended up taking blonde Sally from Marketing (not her real hair color) instead because even though she didn’t know security, she had taught herself to be an expert with InDesign, Photoshop, and a few other design applications that are much harder to master than a firewall.
In addition to that, she figured her way around the “no USB policy” on the workstations and making open shares for transfers. She loved figuring things out as much as she loved choosing typography. She was a perfect fit for cybersecurity. And our reports looked amazing!
Unfortunately, you won’t likely get such diverse candidates showing up for your open cybersecurity positions. Now with colleges churning out security professionals like Anthony (the other one) now churns out Slushies, you’re going to get all these candidates who claim to know security. But most don’t.
They know products and aren’t all that flexible in learning new ones, griping all the time about how when they used pfSense it was better. And I’m all like, “shut up and finish your IP tables!” Then they leave for more money somewhere else.
Meanwhile, you have experienced security professionals today griping that - despite millions of unfulfilled cybersecurity jobs - they still can’t find work. And there are. But they’re likely not called security. And they’re likely not the “Lead Cybersecurity Sitting on Your Ass Strategizing” job that I’m still looking for, because there’s only about eighty of them in America.
No, they’re likely for an SMB that needs an IT person that can also do security. They’re likely a well-organized person who will crawl under a desk to check a LAN cable while explaining calmly and patiently to Pat for the thousandth time that their mouse did not get malware.
They’re likely somebody who isn’t going to have any experience in the latest cybersecurity solutions or have even heard of them, but when they see it they’ll say, "Oh, it’s just like something from fourteen years ago," and then proceed to use it because you know what, they’re right.
In 2003 we realized that the less experience the person had working in security the faster they picked up new concepts. We figured it was because they didn’t have to unlearn anything. They were a clean slate, untainted by the concept that security products were security.
So, we started Hacker Highschool to promote cybersecurity concepts and skills - especially resourcefulness, creativity, knowledge, curiosity, alacrity, and empathy. And after just twelve years it took off, landing in schools around the world. It turns out that most schools didn’t think that high school students needed cyber skills until about 2015.
These lessons aren’t nothing either. The soon-to-be-released Lesson 12 teaches you how to be a SOC Analyst. The other eleven lessons build you up to it with networking skills, Linux skills, malware analysis, attack analysis, forensics and much more. Colleges are snapping them up for their courses. Did I mention that the textbooks are open source and free online (but buy the books to support the project!).
So, we’re making capable cybersecurity professionals now. But it could be a while before they enter the workforce. And when they do, who says it will be cybersecurity? When I was in high school, cybersecurity didn’t exist. It’s not like I could choose it as a major. So, who knows what will be available for high school students in a decade? Maybe “Lead Cybersecurity Sitting on Your Ass in a Rocket” might be the job they’re all fighting for.
So, while we’re waiting, we’ve been pushing people who want to do something else with their lives to give cybersecurity a shot like it’s 2001 all over again. I have no doubt that an auto mechanic can master today’s cybersecurity products. I mean have you seen some of those diagnostic machines they use on cars? And dismantling an engine to find a problem is a lot harder than searching Google for one.
There’s definitely some who would give up working in a garage for that SMB cybersecurity master of all job that pays probably more than what they make now. And not just mechanics - let’s retrain graphic artists, electricians, soldiers, secretaries, plumbers, wedding planners and anyone else who wants to move out of their current space but still want to solve problems, work with their hands sometimes, and who can talk to people like actual people and not as if they’re the weakest link. For all those people, grab Hacker Highschool and start reading-- you’re highly employable in cybersecurity.
Look, unless you have a specific security tool you’re locked into and need to hire an expert for, look outside the cybersecurity field. Look for people with skills certifications over knowledge certifications. Most of all, find the right attitude before you look for the right skills for both capability reasons and turn-over reasons.
Just remember the technology changes quickly, and whatever solution you’re hiring them for today will not exist like that tomorrow. They’ll have to learn it anyway. So better hire someone who can learn than someone who can talk cybersecurity terminology.