You would think that organizations would realize this, since they apparently pass over people with cybersecurity degrees all the time. I’ve spoken to dozens of people with cybersecurity degrees who can’t get hired because they don’t have the technical skills and abilities required for low-level positions. But bad as it is that cybersecurity degrees are not technical enough for entry-level security positions, they also are usually not technical enough for any entry-level positions in the computer field.
In any case, security positions are not entry-level positions, and if you treat them as such, you will have terrible security. The best security practitioners have experience in the technology and processes that they are supposed to secure. If you are not an experienced developer, you do not have the standing to tell people how to secure the code they write. If you have no experience as a system administrator, you cannot maintain the security of a system. If you have no experience as an administrator, you cannot secure a database. If you have no experience in designing a network, you cannot competently design a secure network.
Security professionals are developed over time, just as happens with experts in every profession, including all of the other disciplines within the computer profession: You are assigned a position that is consistent with your skill level, learn on the job and receive appropriate training. It is that simple. You can “create” a security professional by finding someone with the required minimum skills — usually a computer professional with several years of experience — and then having them learn the security-specific skills required through on-the-job training, mentorship and formal training. I mean, think about it: In many cases, firewalls have been installed and well maintained for years without the benefit of newly minted graduates from cybersecurity programs.
The approach that seems to prevail these days — seeking a new hire who already has the right skills and experience or hiring them away from another organization — just doesn’t work. But it is why so many people believe there is a shortage of security professionals.
I can promise you that a competent computer professional with five years of experience will be more effective than a new graduate with a cybersecurity degree. I’m not saying that training, including cybersecurity degrees and certifications, are without value, but they rarely are a match for hands-on work experience.
Instead, organizations should look internally for skilled computer professionals who, despite having no stated experience in security, can quickly adapt to security roles. Those people do exist, and their real-world experience goes a lot further than any number of certifications or degrees.
Sure, it would be great to have lots of people with the necessary security skills clamoring to fill your security positions. But unless you have a program to identify competent professionals within your organization and offer them jobs and training that will arm them with security expertise, you are creating your own cybersecurity skills shortage. Don’t moan and groan that these people do not exist when your organization is just too cheap or narrow-minded to look internally and offer training.
Sign up for CIO Asia eNewsletters.