This week’s theme in National Cyber Security Awareness Month is all about encouraging new talent to join the industry. Both Sophos and I are huge believers in the importance of encouraging the next generation of talent in information security.
Over the past couple of years we’ve seen numerous reports which highlight the need for more skilled information security professionals.
Not only do we not have enough people, but we are also not making sure we tap enough into the very talented individuals already out there.
Why does this problem exist and why do we care?
Technology is becoming more and more embedded into our everyday lives. We are carrying around mobiles, sharing information constantly and integrating systems in to our power, utilities and healthcare.
As we do this the risk of ever-more severe attacks becomes even greater.
Technology is a growing supporting pillar of our financial markets and critical infrastructure so we need the right talent to keep us all safe.
The rapid proliferation of platforms, devices and applications means we not only need more skilled individuals, but entirely new categories of expertise.
Building that takes time, and if we fail to act soon the skills deficit could have an even greater impact on our society. And without positive application there’s a risk that those with such skills may end up breaking the law to satisfy their need for challenge.
Why are we in this situation?
As part of initiatives like the Cyber Security Challenge, which aims to identify talented individuals of any age or background and get them in to the industry, I talk to quite a few very talented young adults who have as much capability as some already in the industry.
When I ask them why they hadn’t considered a career in cyber security before, they often reply “I didn’t think I was good enough” or “I didn’t realise it would be an interesting job”.
One of the biggest problems is that cyber security isn’t advertised as a career path to children, and often computer science classes are significantly behind the expertise of the children entering the classroom.
What can we do?
We need better mechanisms to recognise talented individuals, whether they developed their skills through academic or less conventional self taught methods.
Gamification is the perfect strategy, making security challenges both interesting and fun to play.
Over the past few years it has become cool to be a geek (well, I would argue it was always cool) so we should capitalise on this and advertise it as a viable career path for those who are interested in computers.
Initiatives like the drone-hacking competition we hosted recently at Sophos really help to encourage interest and develop skills.
Lastly, many security roles within business demand several years’ experience, but that limits the pool. We need to create more internships to allow people to gain experience after they have proved themselves in challenges like the one above.
Security is a key role for our society moving forward and is a rewarding and really interesting profession. If you know someone who is interested in computers, encourage them to find a challenge near you and consider a career in security.
I’d love to hear more about the initiatives you have in your countries to develop cyber security talent or ideas you have to encourage more people to consider the profession, so leave a note in the comments or tweet me at the address below.
Image of boy at school courtesy of Shutterstock.
6 comments on “Encouraging the next generation of cyber security experts”
Good article, working with what we have now is crucial. The sense of direction is off in my opinion. This will give the future of security the depth it needs. The ground up model can't hurt, this is not the same world today.
Am I the only one to pick up on potential bolstering of stereotypes by the use of the image used here? I've read articles in the past that have mentioned how IT needed to recruit more females, and that IT's image needed a makeover to ditch the "nerds only" reputation it has amongst the general public, and yet here we are…
Not a complaint, just an observation/opinion.
In Austria we have the Cyber Security Challenge aimed at attracting and rewarding skilled 14-20 yr olds – and a second challenge for 18-30 year olds.
The attitude of "its not important" as demonstrated by the fact our businesses and governments, are more interested in posting on twitter or Facebook, than being concerned about the security of their lives, or cyber worlds…The 5 minutes of fame for the people to be in the limelight and to be seen is such a draw, that the world of working in a very serious field and sometimes downright dangerous is not a real temptation. The money causes much of the problem, there is a lot of money to be made, who said once, "There a sucker born every minute", PT Barnum…
In the US there's CyberAces.org's free online Learn The Fundamentals of Cybersecurity (http://www.cyberaces.org/courses) which is held once a year (this year's course is already under way).
It relies on VMware's player and virtualization to provide some basic experience of Windows 8 (trialware) and Linux (CentOS) environments, and a certificate of completion is provided to all those who complete the course. Currently there are about 10,400 individuals registered with CyberAces and at least 3,247 participants in the first round of testing.
Participants include both high school and university students and working and unemployed professionals.
The course is held under the umbrella of the SANS Institute (sans.edu, sans.org), I believe.
From the few IT people that I know, they have voiced the concern of where can I get a job? And how much can I get? Both seem like good reason. I have not seen security types like the ones they are looking for advertised anywhere here in Arizona, where we have large tech companies. They look for some computer security but not in the line of doing what Sophos does. Where are the jobs and how much do they pay? I don't think they are as prevalent as just IT, more specialized and what about pay? Making 12 bucks for finding a security bug isn't thrilling, if you know what I mean…