Closing the Skills Gap

This morning, I sat in on a panel titled “Closing the Cybersecurity Skills Gap.” Javvad Malik has curated a collection of tweet observations; I thought I’d expand and share a few of my own observations:

The “skills gap” that recruiters see isn’t the right one. Often, we hear about the skills gap from recruiters in the context of “I couldn’t find candidates that met your requirements.” But if the requirements included, “15 years of experience securing Windows7,” we don’t have a skills gap, we have a problem writing job descriptions.

An often missing skill is relating to the business. Our jobs as security professionals often puts us at odds with the business. Why? Because we strive to be the “conscience of the business” and stop it from taking certain risks. Our job is to help the business take risks - but to do so more wisely, through actionable knowledge. Since our business partners are the ones making the decisions to take risks, they are the ones who need to understand risks that impact their decisions.

Think systematically. Many of our training programs focus on providing building block skills; this gives people hammers (so that all problems look like nails). An underdeveloped skill is the ability to think holistically about systems.

Problem solving is a needed skill. Not simply identifying how to solve a problem; actually digging in and solving a problem is a critical skill. It might require building servers; installing applications; designing processes; analyzing data, and a dozen other sundry capabilities.

Communications and translations are key. Every job function has its own jargon - and being able to communicate in the jargon of the business is a critical capability. Having the ability to quickly learn about how current events or new technologies will affect your business, and then provide coherent summaries and advice to the business will be extremely helpful.

Be kind. The security profession has often celebrated being unkind and hurtful to each other and our business partners (think of The Wall of Sheep). Instead, we should be trying to understand them; to be helpful to them; and to understand how we can improve their world.

And some thoughts from prior blogposts: Certification isn’t a marker of mastery. Think about measuring value. Are you applying your skills to just compliance, or solving security problems like awareness training in novel ways?

Cognitive Injection: A reading list

Context: Tuesday, February 25th, I’m presenting “Cognitive Injection: Reprogramming the Situation-Oriented Human OS” at RSAC in Moscone West, Room 3005 at 4 pm (Pacific). My slides are here.

I’ve formed my opinion about how the human brain works with the assistance of some great contributors. Some of them are humans I hang out with, but many of them are authors and researchers; in the interest of helping others come to the same, or better, understanding, here’s a short reading list:
  • Daniel Kahneman; Thinking, Fast and Slow
  • James Reason; Human Error
  • Atul Gawande; The Checklist Manifesto
  • Christopher Chabris and Daniel Simons; The Invisible Gorilla
  • Sam Peltzman,;“The Effects of Automobile Safety Regulation”, Journal of Political Economy, 1975. (see also: The Peltzman Effect)
  • Tom Vanderbilt; Traffic