How to Know and See Aptitudes for Cybersecurity
“Not everything can be solved with an algorithm…. People need to build up their knowledge. Philosophy, art, the ability to understand the sweep and impact of history. Technology changes, but the problems mankind has to deal with pretty much remain the same.”
— John McCumber, Director of Cybersecurity Advocacy for North America, (ISC)2
The (surprising) big picture
In words that a professor of English or history might use, John McCumber, a high-profile evangelist for cybersecurity careers, lays out the case for people to bring breadth, imagination, and the long view of things in developing solutions for cybersecurity challenges. These sentiments are consistent with what many cybersecurity leaders say in print and at meetings on the topic of what makes for success in cybersecurity. Technical chops, to be sure; but more than that goes into identifying candidates on the track to success in cybersecurity careers.
Establishing the profile of potentially successful cybersecurity hires matters a lot. Looking to the fewer than 200,000 students who graduate each year with degrees in computer science or engineering will make only a small dent in the 3.5 million jobs projected to remain unfilled in 2021.
And if John McCumber is right, these students are not the only, let alone best, prospects for these jobs. In a report from the Center for Strategic and International Studies, employers in large numbers report computer science graduates routinely lack basic knowledge and skills needed to step into cybersecurity jobs. Significant on-the-job training is required to ground them in areas like computer architecture, data science, cryptography, networking, and secure coding principles.
Asking the right questions
So, how can we know a strong candidate for cybersecurity success when we see one? If a technical degree is not a reliable indicator, what attributes do help identify someone who can step into a cybersecurity job, contribute to a team, and build a future in the field?
As a starting point, prospective cybersecurity professionals should bring business savvy to their areas of technical specialization. Cybersecurity is increasingly seen as an organization-wide requirement, and all employees need to apply security awareness to execution of their responsibilities. By the same token, cybersecurity professionals need to understand the larger business environment in which they work.“We want well-rounded professionals who understand a broad range of cybersecurity disciplines and who also understand the business side,” says Paige Adams, Group Chief Information Security Officer at Zurich Insurance.
What the jobs are
The cross-pollination of knowledge required to mesh cybersecurity and business operations can help to start reframing our understanding of what a “cybersecurity” job really is. One tech recruiting company surveyed cybersecurity companies in seven major high-tech hubs to find out what areas were in highest demand. The largest number of open positions fell into these four areas:
Software engineering, 41 percent
Sales, 22 percent
Marketing, 11 percent
Operations, 10 percent
Good hires can come from all over
Clearly, technical skills matter a lot. But companies providing cybersecurity products and services need help in many other areas to make their businesses work. Duo Security, for example, has reported that about 85 percent of their hires do not have a formal background in information security. Their clients – including Facebook, Paramount Pictures, Toyota, and Yelp – do not mind.
At Duo and other companies, many of these hires without formal training can be easily imagined as working on the “business” rather than the “technical” side of cybersecurity. Such businesses put cybersecurity-knowledgeable people to work engaging new and current clients, assessing business opportunities, plotting strategies, and so on. But even among technical staff, formal training is not necessarily in their background. A 2016 survey of 56,000 developers from around the world found that 69 percent of them were fully or partly self-taught.
Many rooms in the house of cybersecurity
Cybersecurity jobs also extend to operational needs quite different from business development, strategy, and communications. Securing systems from attack, for example, requires defenses of both a digital and analog nature, if you will. Not only must systems be protected from hostile incursions via networks and hacked user profiles, the buildings and physical surroundings in which they operate need robust safety systems, as well. Protecting the servers and machinery through which valuable data travel can involve everything from building design and security to protocols governing access and assessing human factors for risk.
Indeed, these “attack surfaces" can open systems up to existential risk. In perhaps the most notable such instance, the 2010 Stuxnet virus infected Iranian centrifuge controls through a flash drive loaded onto a single laptop within the air-gapped network used to manage the system. That work took relationship building, logistical smarts, and imaginative strategy, in addition to the sophisticated coding required.
The keys to success
A 2018 Wall Street Journal headline captured the gist of these observations about working in cybersecurity: “Cybersecurity Requires ‘Insatiable’ Problem-Solving Skills; Technical Skills Can Be Taught.” The article recounted the proceedings of the paper’s “Cybersecurity Executive Forum” in May 2018, in which field leaders called out their touchstones for cybersecurity career success. In sum, as one Chief Information Officer, noted, “Cognitive diversity is more important than anything for a cybersecurity person.”
Okay, fine. What does “cognitive diversity” really mean? Parsing the phrase through the filter of other comments and data points cited above, we might boil it down to two main elements: empathy, or the ability to inhabit other people’s views of the world; and imaginative, problem-solving skills.
Seeing things from here and there
Empathy is a starting point for any user-based design exercise. Understanding how someone else might use a tool, in different ways than are obvious to the designer, always makes the tool better. A former Google engineer, Yonatan Zunger, put it this way: “Since the whole purpose of the things we do is to fix problems in the outside world, problems involving people, that means that understanding people, and the ways they will interact with your system, is fundamental to every step of building a system.”
Problem-solving, advanced version
Problem-solving skills useful in cybersecurity build on empathy by combining a perspective of “other-ness” with the creative intelligence to improve or extend the efficacy of a security tool. Or, even better, break the tool. As “security guru" Bruce Schneier observes, "Security requires a particular mindset. Security professionals – at least the good ones – see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it.”
The high stakes associated with cybersecurity systems make understanding how people might interact with them — with either constructive or nefarious intentions — all the more important. Achieving this understanding, then, requires blending the technical with the imaginative in ways that cybersecurity leaders find rare but crucial to their work.
The education landscape
To promote development of the technical skills cybersecurity professionals need, the National Security Agency has accredited just over 20 post-secondary schools as National Centers of Excellence in Cyber Operations. Many other schools leverage local industry connections and particular institutional strengths to offer cybersecurity education programs aligned with an understanding of industry needs. The University of Southern California has ties to Silicon Valley as well as the defense industry; Syracuse University offers concentrations in cybersecurity with finance applications; and Ohio State University links cybersecurity education to smart grids and mobile phone technology. Connecting advanced cybersecurity-related technical training to the intangible, unconventional qualities of insight captured by the “security mind-set” idea is the holy grail of leaders and educators in the field.
The updated, 2nd edition of the Start Engineering Cybersecurity Career Guide, to be published this month, presents a broad, engaging picture of cybersecurity and the career opportunities it offers. It connects the critical need for information security in all facets of our online lives to the rich variety of skills and abilities that can launch a student towards success in the field. Students of all backgrounds, and certainly those with the “security mind set,” should find something that speaks to their hopes and plans for future study and work.
The new edition also gives prominence to all the details and specifications to do with cyber work that the NICE Career Framework offers, combined with comprehensive information about educational pathways, from certifications to four-year degree programs. It is intended to help any organization or initiative committed to cybersecurity workforce development succeed in attracting more, and more diverse, students to the field.
And, finally
What do you think aspiring cybersecurity professionals should be learning in school? What kinds of interesting approaches have you seen? Please be in touch with comments as well as with any questions about our updated cybersecurity career guide.
Eric Iversen is VP for Learning and Communications at Start Engineering. He has written and spoken widely on engineering education in the K-12 arena. You can write to him about this topic, especially when he gets stuff wrong, at eiversen@start-engineering.com.
You can also follow along on Twitter @StartEnginNow.
Our Cybersecurity Career Guide shows middle and high schoolers what cybersecurity is all about and how they can find the career in the field that’s right for them. Now with a Student Workbook for classroom or afterschool use!
To showcase STEM career options, pair our cybersecurity books with the newly updated, 2019 edition of our Start Engineering Career Guide.
We’ve also got appealing, fun engineering posters and engaging books for PreK-2 and K-5.
Our books cover the entire PreK-12 range. Get the one that’s right for you at our online shop.