We need to reach out to a broad church to fill vacant cyber roles
Cybersecurity roles tend to emphasize cyber-specific specializations and technical skills to the exclusion of all others, and the sector could benefit from expanding its scope to include pathways for a broader group of people, including anthropologists, political and international relations into the Internet creating analysts, psychologists and other social scientists.
As a social anthropology student in the early 2000s who got into technology writing more by accident than design, I’ve long thought that the technology industry as a whole could use more artists, humanities scholars, and social scientists. I believe we bring a much-needed perspective to the often very dry and complex subject of technology, which sometimes risks leaving behind or even harming the people it is designed to help.
More recently, as my career has taken me into the world of cybersecurity, I have been fascinated by the psychology behind how and why people act the way they do in a cyber context, and how and why threat actors act the way they do to do.
That belief was reinforced after Chris Ensor, Associate Director of Cyber Growth for the National Cyber Security Center (NCSC), at (ISC²)’s Secure London event on April 7 – the first in-person session of cyber certification – association had heard a lecture since the beginning of the pandemic.
In a broad keynote, Ensor compared the cybersecurity profession to the medical profession, even though they are at very different stages in their lifecycle. What did he mean by that?
Simply put, the medical profession has defined roles, specializations, and paths that have been established over the last two centuries, going back to the days of Florence Nightingale and Mary Seacole. But cybersecurity has been around in its established form for 10 or 15 years, 20 at most, and in that time has arguably become as important to the overall health of British society as the NHS.
Part of the problem that the medical profession has successfully solved is that different professions have different defined specializations — a gynecologist specializing in women’s reproductive health, an otolaryngologist specializing in ear, nose and throat medicine, a podiatrist on foot – but due to its comparative novelty, cyber lags behind in defining what a security analyst, consultant, or engineer must be, and different organizations will define these roles differently.
Can you imagine the chaos that would ensue if different NHS trusts could define clinical roles differently?
In addition, it is difficult to find common ground and agreement on what cybersecurity specializations even are. The US National Initiative for Cybersecurity Education (Nice) defines more than 30 majors, but the NCSC defines only eight, according to Ensor. These are risk management, security architecture, secure design, incident response, penetration testing, network monitoring, digital forensics, and vulnerability management.
If the cyber community can agree on and better understand these specializations, we can then explore how to effectively unlock these talents in people. This is where we social scientists come into play. Re-skilling and up-skilling of the existing workforce is a time-consuming and difficult process, but if we can highlight the aspects of existing, non-technical skills that in some cases fit these specializations, in this way we will surely find potential safety practitioners who are behind the least likely corners lurking.
Take my own experience. As a literal kid who excelled in English and History and hated math and science, I happily dropped STEM subjects after my GCSEs and was drawn to social anthropology because I like people and know why people do what they do, and think what they think.
During my undergraduate studies I had some of the most enjoyable times with a group of volunteers at my university who had come to the UK from Chile to study and explore their experiences in the UK while recreating their food culture with the resources available to them in the world food department from Asda and through Essen to find out how they understood themselves and their social group as expats in a foreign country.
As I look at the world of cybersecurity, I’m starting to see parallels with experiences. In 2020, I wrote about the then-nascent DarkSide ransomware operation, which made a name for itself by “donating” some of the extorted money to charity (it should go without saying, but please don’t take donations to ransomware gangs , People). What, I wondered, motivated the criminals behind DarkSide to do this? Good PR? I dug deeper and started to learn more about how cybercriminals understand and understand themselves in the context of the underground communities they create.
Six months later, in spring 2021, my colleague Valery Reiß-Marchive of Computer Weekly’s French sister title LeMagIT shared with me leaked chat logs between the Conti ransomware gang and clothing retailer FatFace. I was impressed by the professionalism displayed by the cyber criminals. It was clear to me that Conti ran its operations like a technical support company and that its members considered themselves to some degree legitimate penetration testers. Albeit unscheduled.
As Ensor put it, a role is a job: to do the job you need skills, and to get those skills you need to know something. I don’t presume for a second to say that my interests make me a suitable candidate for a threat research and analysis role, but my writing has provided me with a baseline of understanding, and if I should make a career change, think in-house going to a security company crossed my mind.
A wide church
There is no doubt that the cybersecurity industry is in the midst of a skills shortage and technology education clearly plays the key role in addressing this problem, but there are also very many potential roles and opportunities for people outside of the technology community, and the security industry does not enough to find people like me.
I think that’s partly because the security industry doesn’t actually know what it wants and partly because it’s obsessed with technology and coding. And I believe these mistakes will derail their efforts to resolve the security skills crisis.
Cybersecurity is a societal issue and requires a societal workforce, so the profession must look beyond certifications and technological skills. The best security expert you will ever meet might be hiding in plain sight, but none of you know it yet.
Yes, your next security analyst might actually be a ballet dancer.