Black Hat USA 2024: “It doesn't mean you have to be young to come into cybersecurity”


With a hostile cyberthreat landscape demanding cybersecurity pros, thousands of security positions remain vacant. One infosec pro we met at Black Hat USA 2024 in Las Vegas may have a solution.

“It's not just about wanting to go into cyber; it's about having the right skill mix for the jobs that are in demand,” Jon France, an infosec professional and CISO at ISC2, a non-profit organization that specializes in training and certifications for cybersecurity professionals, told Cybernews.

ADVERTISEMENT

However, with the World Economic Forum forecasting global cybersecurity talent shortage can reach 85 million people in 2030, organizations and recruiters will be forced to come up with creative ways to get more talent.

According to France, the cybersecurity skill gap creates a vicious circle. Companies demand high experience for entry-level positions because most organizations can only afford to hire a few.

“Market demand is pulling. Organizations want experienced people, but because there are few people to fill the positions, they're expensive positions to fill. That's a tension that we see come to the fore,”

France told Cybernews.

To break the cycle, organizations could look at the problem from a different angle. France believes that instead of seeking empirical knowledge, organizations should look for specific skills in potential employees, such as a propensity to learn, logical problem-solving ability, and critical thinking in general.

“It's far more valuable than three years of experience of securing Active Directory,” France said.

Double-edged AI

Large language models (LLMs) and other forms of artificial intelligence also emerge when dealing with a crucial lack of cybersecurity people. France believes that AI has the capability to improve overall worker productivity, which could help mitigate the growing need for specialists.

However, France believes that AI should not be seen as a menace to entry-level cybersecurity positions. AI ought to be seen to augment and not replace people in their roles, adding capabilities that previously could not exist.

ADVERTISEMENT

There’s a catch, though.

“There could be a slight downside to AI replacing manual tasks. It took us a long time to log files, but that was us cutting our teeth and learning some of the basics. What AI might do is blunt some of that inherent knowledge that you would gain by simply doing,” France explained.

Career switching

With AI-induced uncertainty in the job market, open cybersecurity vacancies could attract newcomers. However, some might get spooked by the supposed technical nature of the craft. France, however, advised cyber-curious people to at least try, for example, taking a free training course.

“You may find you really love it and it's not that big and scary. You may find it's not for you. That's okay too because you'll walk away with some of the basic security concepts,” France encouraged.

ISC2’s CISO explained that many people have all the right knowledge to work in cybersecurity without even knowing it. Finance professionals are capable of data analysis, while human resource professionals understand how humans work.

“The myth I really do want to bust is that entry-level doesn't mean young. You don't have to be young to come into cybersecurity. You can make a career change. The most important thing is transferable skills,” France explained.