There's a simple solution to the lack of skilled cybersecurity professionals. Which is not to say that it will be easy.
People constantly bemoan the dearth of skilled cybersecurity personnel, especially after a high-profile breach. And we hear a lot of proposals for fixing the problem: more certifications, more training, more research. All of these solutions amount to lobbying; they come from certification bodies, training companies and university researchers.
I don't deny that those proposed solutions are useful for improving some aspect of cybersecurity knowledge, skills and abilities. But taken all together, they won't give you a skilled practitioner. They won't even give you a competent practitioner. The best of these suggestions might be certification, but not all certifications are created equal. Certifications that require work experience are far superior to those that don't. Having extensive experience applying the knowledge embodied by the certification is the only way to demonstrate that you can provide expertise in securing an organization in practice.
Beyond certifications, though, experience is always the key in developing skilled security practitioners.
Many people would say that the National Security Agency, where I used to work, is the world's leader in cybersecurity, and has been for four decades. Given that reputation, it's interesting to think about how it came to occupy the pinnacle of cybersecurity competence.
The first thing that strikes me is that the NSA draws its staff from the same pool of personnel that's available to industry. Its potential employees don't have any unique knowledge, skills or abilities unavailable to private enterprises. What the NSA does is to hire people with appropriate backgrounds and skill sets and then build on those skills with on-the-job training and mentorship. It's that simple, but as I said, not necessarily easy.
This sort of thing is the normal practice in other industries. A new graduate with an architecture degree is not going to be hired to design a landmark building. Instead, he or she will work for years supporting a team of experienced architects, gradually taking on more responsibilities commensurate with his or her accumulating skills and experience. The same is true of engineers, and even of those in less prestigious professions, like plumbing. Why should we expect cybersecurity to be any different?
When I applied to the NSA, I had to take aptitude tests, which showed that I had high computer aptitude. I was offered a position in the Computer Systems Intern Program, where I had rotating job assignments in the computer field while attending various computer-related classes. Those classes were virtually the same as those taught at most colleges. My work assignments varied in responsibility, but that responsibility was always commensurate with my abilities. I was not looked to as an expert. Expertise takes time to develop and has little to do with the number of classes taken, certifications awarded or degrees attained.
Sign up for CIO Asia eNewsletters.