Cybersecurity is not too technical. Nor should be a career in the field
The talent shortage in the cybersecurity field is often self-inflicted. Numerous technical requirements scare capable people away when a large portion of the vacancies do not require people to be hoodie-wearing hackers, says Rick Howard, CSO and chief analyst at CyberWire.
With the world going more digital by the year, a need for cyber defense specialists would seem self-evident. However, numerous industry studies every year show a massive gap between the need for talent and supply that meets it.
“I don’t need someone to understand computer science. I need people who can solve problems, who can read things on their own, learn things on their own. I give it to them because I don’t have the talent to solve the problem. It’s why I hired them.” Rich Howard, a cybersecurity veteran, told CyberNews.
There are numerous reasons people shy away from joining the cybersecurity field, but some of the blame for the trend lies within the industry. Howard, who has decades of experience with the military and within the private sector, explained that one of the most valuable skills within the sector is translating technical language to something people running the businesses could understand.
Along with the industry's workforce topics, we discussed which concept in the field needs the most explaining and which book to read if you want to understand security events such as the infamous SolarWind hack.
When young people come up to me and ask what they should study to be a cybersecurity person, I always tell them that they should practice writing and speaking. You need to get comfortable with the idea of conveying these ideas to people,Rick Howard.
You have spent decades with the US Army. How did that experience influence you to gravitate towards a career in cybersecurity?
I was in the US Army for 27 years, if you count military school. I knew in high school that I wanted to do something with computers. I was a gamer back then, and I knew I wanted to do something where I can be around that kind of technology, so I studied computer science in college.
I’ve turned into an IT guy about midway through my career. In my last job in the military, I ran the army computer emergency response team for the US Army, basically the CSO for the US army. This was back in the early ‘00s. My job was to coordinate all fencing and defensive operations for the military.
Then I retired from the military, and I did something that most people like me don’t do. I went straight to a commercial cybersecurity vendor and one that didn’t have any ties to the government. Most people like me would transition to Booz Allen Hamilton or Raytheon. But I didn’t do that. I went to a pure-play commercial vendor, so I had to learn the business side of cybersecurity pretty quickly.
How did your experience with the military help you in the private sector?
One of the things that you have to learn how to do in the military is to summarize things right. Really complex, horrible, detailed, thousand-page documents into half a page to a general who could make a decision about it. I did have a lot of training on that. And all military people have to learn how to do that. Executive summaries are the way of the world.
I learned in the cybersecurity space that that’s one of the best skills you can have because there are lots of smart people out there who understand how things work. But if they can’t convey what they know to other intelligent people who don’t understand the cybersecurity part of it, they’re not much use. So, how you communicate with businesspeople about the technical details of cybersecurity is a sought-after skill set.
The way that manifests is, how do you convey a cyber risk or a technical risk? How do you transform that into a business risk so that they can understand it and make decisions about the business? It’s really hard to do, and you have to practice.
When young people come up to me and ask what they should study to be a cybersecurity person, I always tell them that they should practice writing and speaking. You need to get comfortable with the idea of conveying these ideas to people.
Year after year, reports indicate a workforce shortage in the cybersecurity field. Why do you think this discrepancy exists?
There are lots of factors that cause it. One is that at least on the commercial side, we, our HR departments, have hamstrung ourselves. They put the requirements down for an entry-level cybersecurity person that nobody can qualify for. You have to have a computer science degree, and you have to have 17 certifications. And I don’t need that. I don’t need someone to understand computer science. I need people who can solve problems, who can read things on their own, learn things on their own. I give it to them because I don’t have the talent to solve the problem. It’s why I hired them.
And I think the other problem is that we scare people away. Because it sounds like it’s so technical and people think they’re not technical and therefore can’t do that job. But in truth, there are thousands of different kinds of careers in cybersecurity. A tiny percentage is highly technical. The rest is just understanding and explaining and coming up with policies that work and so on. We scare people away by making them think that you have to be able to write exploit code.
Another thing is that despite numerous initiatives for women to be more actively involved in the cybersecurity field, they make up only a fifth of the total workforce. What could the cyber community do to change that?
There are a couple of contributing problems for that. One is that we’re our own worst enemies. Meaning that mostly men gravitate to the field early on. So, men are making decisions about who they hire. So, they hire people that look like them. And they don’t understand the value of having a diverse team.
There’s also a small portion of the cybersecurity workforce whose attitudes toward women are not very modern. But because of those early-on situations, women self-select out of those fields too. Research shows that at some point in a woman’s educational career, many decide that the technical stuff is not for them for some reason. That’s a societal thing that we need to fix.
When we first started back in the nineties, we convinced businesspeople that cybersecurity risk was somehow different from the other risks they had to manage. It was so scary that they needed to do something different about managing the risk,Rick Howard.
In one of your articles, you’ve mentioned that it’s a technologist’s role to explain complex ideas and concepts. Which concepts would you say require the most explaining?
When we first started this back in the nineties, we convinced businesspeople that cybersecurity risk was somehow different from the other risks they had to manage. It was so scary that they needed to do something different about managing the risk. And what we’ve learned over time is it’s not, it’s just another risk.
It’s probably not even the most important one for most. That’s what we have to tell the leadership and have them understand what we have to do as network defenders is to convey what the risk is to senior business people and how we do it all wrong.
The standard practice for conveying risks to senior leadership is, was a tool called heat maps. We walk into board meters and circle the red and say: see this really scary thing? I need a gazillion dollars to lower it.
And sometimes that works, and sometimes it doesn’t, but it’s just really bad science. That’s a qualitative risk assessment. It’s not very precise, and we need to get to a quantitative risk assessment. We need to ask ourselves, and the question we need to answer for senior leadership is ‘what is the probability of material impact due to a cyber event, say, in the next three years. That’s a different calculation, and as an industry, as a group of practitioners, we suck at that.
You host the CSO Perspectives podcast on CyberWire. Why is it important to try to reach executives directly? To paraphrase, why is it important to share at all?
The reason you want to share information is so you get exposed to different ideas. Even in the show that I do, I’m constantly having my mind changed about how to do something. I think, ‘oh, here’s how I would do something,’ and then somebody smarter than me says that it’s a really dumb idea. So that is the reason there’s no one way to do things. If you get a bunch of smart people in a room, you might come up with something interesting.
One of my pet peeves is people don’t read enough. And if they do read, they’re reading technical manuals, they’re not reading other things. I helped found this project called the Cybersecurity Canon project.
I’m always advocating that people should read books to learn something, but I’m also advocating that they should read books besides cybersecurity books to broaden their horizons,Rick Howard.
We built a ‘rock and roll hall of fame’ for cybersecurity books. And the idea is we get a bunch of practitioners together. They read the books, write book reviews for them, and try to put the book into one of three categories. And the first one is ‘hall of fame’ material. Meaning you need to read this book. If you have not read this book, then you probably have a hole in your education.
The second category says that a book is probably not a hall of fame book, but it’s a pretty good book if you’re interested in the topic. So maybe you want to read it. The third one is where we label the book, ‘do not read’. There’s lots of crap cybersecurity books out there. And so we do the work for you, so you don’t have to.
I’m always advocating that people should read books to learn something, but I’m also advocating that they should read books besides cybersecurity books to broaden their horizons. Because there’s more in the world than just the latest thing that Panda Bear did, and that might give you insight down the road about how to solve a problem in some unique way.
Maybe you could share some must-reads for people who are interested in the cybersecurity field? Perhaps something that would allow getting more perspective on things like the recent SolarWinds hack.
There are a couple of good ones that I recommend all the time. One is Cryptonomicon by Neil Stevenson. That is the best hacker novel of all time. It’s really long, though, so you’re not going to read that in a weekend.
But if I were going to go back to nonfiction, three books came out in the last couple of years that would cement your understanding of cyber adversaries that do these kinds of cyber espionage attacks.
The first one is The Perfect Weapon by David Sanger. He’s a New York Times journalist. The second would be Sandworm by Andy Greenberg. And the third one, Cyber War by Richard A. Clarke and Robert Knake.
They don’t talk about SolarWinds because it hadn’t happened yet, but the activity they’re describing is what’s going on with SolarWinds, so I would recommend those three.