Why you can’t hire your way out of your cyber security problem

Richard Stiennon wrote in Forbes the other day that the solution to the problem of not enough cyber security talent isn’t more STEM education it’s the teaching of tools and very specific skills. If you’re an advocate for channeling more students into computer science or engineering programs that that’s going to sound pretty anti-intellectual to you; if you think Richard is calling for the return of vo-tech you’re absolutely right. /* If you’re of a certain age you probably don’t know what vo(cational)-tech(nical) school is. It’s where people who were interested in building and fixing stuff went to school before society told them that if they didn’t go to college they were losers. Having recently paid a plumber $150 just to cross the threshold of my house I question how accurate those claims are. The fancy word for vo-tech kids today is “maker.” */

Now there are a lot of ways to find a job in the computer security field, college being one of them, certification-mills another. A vo-tech model for ramping up the headcount of computer security talent is a good idea; plenty of tool use so you’re productive on day-one; enough “education” to make sure you understand what is going on when you push buttons.

Success for such a model is going to depend in large part on the ability of those who need such talent getting their heads right about requirements and then acting accordingly. This means hiring for security like you hire for other parts of your business (and paying accordingly). When you’re looking for an accounts receivable technician you don’t advertise for a CPA. The accounting unit in a business of any size is pretty substantial, with the most experienced and educated people at the top, generalists managing in the middle, and specialists operating at the bottom. If you tried to build a security unit of that size with your current job requirements it would be the most expensive and highly skilled bunch of people in the company; and it would churn like a maelstrom (ninjas bore easily).

Building a security unit that is staffed and compensated along more traditional blue- and white-collar lines wouldn’t be nearly as expensive as a unit of “ninjas” but it would take a pretty radical organization to adopt such a course of action and there is no guarantee that it would be able to defend itself online in a superior fashion.

At the risk of coming dangerously close to mis-quoting an ancient Asian military strategist, let me just say that if all things physical and technical are equal in a conflict, the day will go to the smarter general. The problem is you’re not in the digital warfighting business; you’re in the widget business. You need access to the best and most diverse widget-talent you can find just to be competitive; adding computer security to the mix doesn’t improve the bottom line and you’d lose the vast majority of your battles.