When I studied computer science at university in the late 1990s, Borland C++ was king of the hill. Configuring networks was just as much a physical task as a logical one, and we were looking for faults in cables just as often as configurations. My studies gave me a good understanding of how computers worked and communicated, but there was one key element lacking in the syllabus for both the bachelor and master's degree at that point in time: security.
My first job as a young engineer was with a cybersecurity startup. Highly motivated and with a how-hard-can-it-be attitude, I jumped at the challenge and haven't looked back since. True, I didn't know too much about cybersecurity other than having played around with a few remote administration tools and clever ways of (secretly) deploying them on unsuspecting targets, but there were certain things I did know. I knew how to build a computer, what the different components inside it did, how it communicated with other computers through networks and peripherals – and how to program it.
At the time this was more than enough to successfully work as a security analyst. The threat landscape was nothing like today, and any actor with malicious intent was as poorly trained in security as the rest of us. We were all working with the tools at our disposal.
Fast forward to 2012. Working as a principal consultant, I was often teamed with younger professionals – many of whom were recent graduates of the Gjøvik University College in Norway, which offered study programs in information security at the bachelor's, master's, and PhD levels.
What I found was that while these people certainly had good training in cybersecurity-related areas like penetration testing, threat-hunting, and cryptography, they were lacking some of the basic understanding of data communication and were more reliant on tools and techniques than actual knowledge to get the job done.
Cybersecurity is a complex discipline that evolves and expands at an exponential rate alongside the digital revolution. What you learn this week might already be obsolete next week. Hence, a traditional three- or five-year university degree in cybersecurity will be almost outdated as soon as it is issued. Looking at it this way, the important thing to study becomes the underlying fundamentals: how the technology operates, how it is connected, and how it communicates. How to exploit it comes later, and it will continually change as the technology itself and how we use it changes.
So where does this leave us now? Do we teach students to combat fake news and digital vigilantes on social media?? How about new technologies like cloud computing, big data, artificial intelligence, and machine learning mapped against the ever more complicated regulatory frameworks that are put in place by governments all over the world? As a chief information security officer (CISO), how do you make sure you're delivering on your confidentiality, integrity, and availability (CIA) objectives without a triple-degree in computer science, international law, and global politics?
I believe the answer is remembering that cybersecurity is about teamwork. The discipline is ever-changing and all-encompassing. Hence, the successful CISOs of the future will be those who can see the broader threats and compose the best teams to address them — and that means looking outside the box for qualified, motivated candidates, like I once was.
Since I started my journey more than 20 years ago, we have always talked about how cybersecurity continues to be understaffed. This continues to be the case: According to ISACA’s State of Cybersecurity 2021 report, 61% of respondents indicate their cybersecurity teams are understaffed, and 55% say they have unfilled cybersecurity positions.
Do I still need ethical hackers on my team? Certainly! But I am in just as much need for candidates who understand law and regulatory compliance, pedagogy, and didactics – and never forget marketing and communications.
We need to focus more on motivation when we are looking for qualified candidates. There are plenty of clever and motivated people out there who with just a little push could do the most amazing things. Cybersecurity, being the volatile discipline it is, will need people who continuously want to develop themselves and stay up to date.
We also need to remember that prior hands-on cybersecurity experience will not prevent the digital threats of tomorrow. Those will come from motivated adversaries working on new technologies and thinking outside of the box. If we are to stand a chance to win, we need to be just as creative. And just as motivated.
One move to overcome the shortage of skills in cybersecurity is to be more open-minded when we are hiring potential candidates. We don't just need "hackers." We need individuals capable of critical and independent thought with the ability to challenge complex problems. Look for systems administrators, network engineers, and software developers rather than just established cybersecurity professionals.
With the fundamental knowledge and the proper motivation in place, just a little bit of guidance and coursework should be required before finding yourself with a very capable purple team.