Page 248 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 248

How We Got Here

            Someone who is telling me that they didn’t see this talent crisis coming is either brand new to this industry,
            or ignorant of the last 20 years. When cybersecurity was brand new and we were still trying to take the
            shrink wrap off the box, there was no staffing shortage because there was no staff. People from all
            different  IT  backgrounds  stepped  into  the  breach  -  network  engineers,  server  engineers,  help  desk
            specialists, developers, and so on.

            As the industry started to solidify and specialize, things got interesting.


            When we separated cybersecurity from the rest of IT, we created a potential for trouble later. Suddenly,
            talent that was used to being a mile wide and an inch deep on technical expertise flipped to be an inch
            wide  and  a  mile  deep.  As  specialization  developed,  a  natural  pathway  for  gaining  experience  and
            expertise grew and everything was working well.

            Then we got to the early 2000s and suddenly companies decided to eliminate entire low-level (the minor
            leagues, or development squad) bands of employees to take the work offshore to third parties. This
            created a colossal vacuum back home where the people who previously had opportunity to work their
            way up into the specializations and higher levels of expertise no longer had a pathway for progression.
            Decades of tribal knowledge were wiped out, lost in translation, impacting the talent pipeline.

            Somewhere between the early 2000s and now were a series of unfortunate missteps including poor hiring
            practices and failure to provide existing employees opportunities to keep learning and training in their
            craft. Yes, companies also made poor decisions and over-rotated on technology, that much should be
            clear as now enterprise security teams are on average 10 to 1 dashboards to employees ratio. However,
            the bottom line here is this is the bed we’ve made, and we’re flabbergasted we now have to sleep in it.



            So Is There a Talent Shortage or Not?

            Anyone that sees a talent shortage, considering the amount of cybersecurity professionals out of work
            right now is misunderstanding the situation. Add to that, all of the military professionals entering civilian
            life  who  could  rather  easily  be  cross-trained  into  our  profession,  plus  the  advances  in  automation
            technology – and I’m hard-pressed to agree that there is a shortage of skilled candidates.

            But here’s the problem – it’s easy to look at unfilled job requirements and use that as evidence of a talent
            shortage. The reality of the industry, however, is much different.

            Below are a few ways we’re missing the mark.



            Unrealistic CV expectations


            Companies are unrealistic about their expectations for cybersecurity talent. Job descriptions ask for five
            years of experience with ten certifications and call that an entry-level job with entry-level pay. It’s so








                                                                                                            248
   243   244   245   246   247   248   249   250   251   252   253