WWTalk
Blog20 minute read

Cyber Talent Needs a Higher Calling

The perceived talent shortage in cybersecurity is a misnomer; the real issue lies in the lack of qualified candidates and inadequate growth opportunities. To address this, organizations must focus on mentoring and nurturing talent with a strong value system, ensuring a resilient future for cybersecurity amidst evolving challenges.

In this blog

We've all heard about the talent shortage in Cyber. But let's be clear, there is not really a shortage of candidates. When I talk with colleagues about finding Cyber talent, the discussion gets to the heart of the matter fairly quickly: there are too many candidates, and they are either not qualified at all or overqualified. There seems to be no middle tier and no foundation for growth of the underqualified.

 How We Got Here

Those of us in cyber may remember a time when there were no cyber or InfoSec departments. When I started my career working on Unix and Novell Netware 3.11, security was part of the job. Back then, the expectation was to be an "IT Guy"; a jack of all trades, master of none.

My experience is not unlike many others… In the morning, I could be fixing a break in a 10 base-2 cable supporting a token ring as soon as I got to work, restoring a file from back-up tape for a doctor during my morning coffee, restarting a service on an NT 4.0 accounting server after lunch, installing Windows 95 using 16 floppy disks then setting IRQs for the sound card and before I go home find out a plumber dug up my conduit and before customers show up in the morning I need to pull a new 12 strand fiber cable and terminate it to get the west campus up and running.

All OS's, network, firewalls, storage, backups, user support, forecasting, ordering - we did it all! We complained, but it was fun and, more importantly, we were able to build it all, and we understood all aspects of the technology stack. When HR wanted a new system, or the board wanted to add a new building with access to core systems, we understood the interdependencies and how to introduce those changes with minimal impact and risk.

As progress continued, the internet became less of a nice-to-have and more of a dependency, and things changed. Businesses expanded, security became a concern as networks and complexities grew, and we began to specialize in technology. When the first Information Security departments were created, the folks who built everything were often tasked to secure what they had built. It made logical and emotional sense.

 Internal Strength

Whether leaders at the time knew it or not, who they tasked with securing the company's information would forever change the face of IT within companies across the world. It was from this point that practices and departments within IT diverged, and having a strong Information Security practice would become crucial to business success. 

One of the most important traits of an InfoSec professional is fortitude. The first cyber teams were also the builders of the infrastructure, and with that came ownership. Healthy or not, there was an emotional attachment to what they were protecting, and it was simultaneously good for the business and bad for InfoSec reputations everywhere. As these teams grew, these ideals were passed on along with their tribal knowledge. Responding to requests with a protective emotion is how Information Security (or cyber) garnered a reputation as "naysayers" and "blockers".

Within the enterprise, Cyber is hated more than any other department, even HR. We are blamed for all missteps, outages, slowness, bad business decisions and marketing flops. We are consistently asked to compromise our training, corporate policies and risk business I.P. to speed up processes or correct other teams' mistakes. Yet, we are noticeably alone when called to testify before a committee about a breach.

Cyber is a lonely job. To be successful, you must have a higher calling and believe in something bigger than yourself. You must lead by serving others and ensuring your protect others from themselves, no matter how much they protest and what level of person is protesting. You must be humble, listen to reason and adjust where risk appropriate. A cyber professional must be smart and on top of their game; up-to-date on the latest tech and able to talk about any aspect of technology – because Cyber covers it all.

 Current State

In most organizations, there are few people matching the profile above of a successful cyber professional. Most cyber professionals hired within the past 5 years do not have a higher calling, a servant leadership mindset or are humble enough to listen, process and adjust an approach when appropriate. But that is indicative of a larger issue.

Rather than adjust corporate policies and processes, security people are moved out of the way for short-term progress and less qualified, more controllable people are moved in for quick-wins. This has no only resulted in more breaches and data exposures, but we also have an epidemic of people turning to Cyber for a quick paycheck and leaving with no accountability. This is happening at all levels, from engineer to executive, and it is entrenching the us vs. them mentality.

The constant cycle of cyber professionals within an org is causing many departments to handle their own security. I see it in the various companies I consult with, and my colleagues confirm it: Shadow Security is a thing. Cloud has allowed business units to build their own workload environments and in a vacuum of security guidance, they will build their own security stack as well. The problem is, no one can attest to the controls. Who will stop this? We must.

Cyber has to stabilize, we have to provide consistency. Cyber is a system of tools and policies and people. In this equation, our policies are constant, the tools available to us are constantly in flux, and if our people are also in flux, our entire org is inconsistent. Stabilize the people to address stable policies with process and tools that change.

 The Next Generation

For those of you looking to become a Cyber professional, the fact that you are still reading is a good sign. Those of you looking to hire a Cyber professional, there is hope. First, it is important for both of you to understand that it is not just Cyber having a talent issue, all of IT is. The focus is on cyber, though, because modern cloud platforms have abstracted most of IT into services. Cyber still requires people to establish trust, decipher regulations and create controls that meet policies based on current resources and capabilities. 

The next generation of Cyber candidates will not have the opportunity of organic growth that my generation had. While there are more specialized cyber degrees and certs available now; this generation will still need mentoring. Everyone involved needs to understand this: hiring managers, cyber executives and candidates.

Cyber Executives need to support mentoring, for the long-term. This will take time and resources from your senior staff and require a dollar investment in people, including training, with little up-front benefit. You need to build a pool of great talent that has been decimated by corporate greed and lack of importance placed on compliance. This takes time to do right and will likely require investment in alternative talent and upskilling programs. Support from you and the wider executive team is a requirement of these programs. Reach out if you need to discuss successful methods for getting buy-in and managing expectations with other executives and the board.

Hiring managers, you will need to focus on the intangibles. As described above, candidates need to have a higher calling and purpose. This is hard to find during interviews and may require a greater corporate effort. WWT has two programs: an internship program for those in college and an Associate Academy for those out of college looking to get started with WWT.  Every organization has different needs, but these programs provide all parties a long-term look at each other. Ensuring both are comfortable and ready to make the investment in each other. Make sure the mentor and the mentee align religiously and philosophically; success requires a connection capable of tribal knowledge transfer.

Candidates, you need to slow down. First, reread the section above about internal strength. If that is not you through and through, there are plenty of IT careers available to you. WWT has people, including myself, who can help you find a career path. You will be miserable in Cyber otherwise. Second, I know you want to make as much money as possible as quickly as possible, but realize that you are not qualified. Yet. You need to apprentice, and it will be a slow process. Find the right company that has programs to get to know you and that allow you to get to know them. Find out what the company is about, what motivates them, and if your values align. If you are really a servant leader and have the fortitude to be a top Cyber professional one day, the length of this path will not deter you.

 Success Story

WWT's internship programs and Associate Academy have a long history of success, with many current and former leaders coming through the program. Our Associate Academy has a shorter history, but with similar success. The Academy exposes recent college graduates and those looking to change careers to technology. WWT invests heavily in this program, ensuring participants receive a solid baseline in all aspects of technology and professional life within WWT. Our Cyber practice was fortunate to hire a few graduates of the 2022-2023 cohort, all of whom are making an impact.

One of these rising stars is Claire Whitehouse, who joined my team about 18 months ago. Corporately, our investment in Claire was apparent in her professionalism and foundation in understanding the technology WWT offers.  When I first interviewed Claire, I could tell she was talented and had the right mindset for a career in Cyber, but knowing if we were the right match philosophically would take time.

It didn't take long for her true passion for doing what is right and her servant leadership approach to shine, confirming our hopes for her in Cyber and ensuring our success as a team. In an attempt to bottle Claire's passion, hard work, and ethics, I wanted to make sure we documented her state of mind as much as we could during her journey from Academy graduate to Cyber professional.

My hope is that Executives, leaders, hiring managers, and candidates find the interview excerpts between Claire and me below valuable and use them to understand the mindset of a young professional on her way to becoming a cybersecurity expert.

 Interview

 Pre-Customer Engagement Q&A

"What was your early trajectory in high school? Where were your thoughts on the future, and what you thought you wanted to be? Was it related at all to what you are doing now?"- Anthony Glackmeyer.

I knew I wanted to be in some sort of technical role since I was in high school. I have always enjoyed challenging my mind and working hard to figure something out. That feeling of fixing or creating something after hours of building, researching, breaking, building again, breaking again, etc. is so exciting to me. That's something that I knew I wanted to be a part of, and I knew I would never get bored of it either because there's always something new to break. I also really enjoyed the idea of being a woman in technology because it sounded like a challenge. -Claire Whitehouse.

"What was your original choice of degree at University? Did you change? What were the classes that helped you the most, classes you thought were useless, but now you see were helpful?"

I chose Computer Science as my major, just to start off. I enjoyed the content of my classes, but I started to realize that I was not getting enough out of them. Now, this very well could have been my own lack of motivation to push myself as a freshman in college but no matter what it stemmed from, I just was not learning enough. And then the COVID pandemic hit during my sophomore year, and all of my classes were pushed online, so I didn't even have a professor to teach me anything. I was all on my own, and I was struggling. Something that I believe is that learning how to learn is difficult. We all retain and understand information differently, which is why some people struggle more than others. I ended up switching my major to Security Studies, which was a great decision for me because the professors and the classes that I took for this major pushed me in the way that I needed to be pushed. My professor for the very first class I took, Introduction to Security Studies, was also my advisor. His classes were tough (he was tough-looking, too). We went to class every day knowing that if we didn't do our required reading before class, we would be asked to leave (kicked out). It was a small class with a discussion-based format, which I learned to love, but it was difficult at first because you would be called out at random to answer a question. Our exams were difficult; we would get a list of 20 or so words, names, or terms, anything from The War on Terror to the Fourth Amendment, and we would just have to brain dump everything we knew. Points would be awarded for details such as what it is, why it's important, what it relates to, and more. This class not only improved my ability to learn deeper than surface level, but it also boosted my confidence immensely. I had to adapt to more critical thinking, deeper understanding, rather than just quick memorization, which helped me get through everything else up to that point.

"How did the WWT Associate Academy prepare you for a corporate job?"

After college, I entered the Associate Academy at WWT. The Academy was the perfect transition from college to a corporate job because I was still in study mode and was able to ease into the real world of work. I continued my technical learning by working towards and achieving 3 industry-recognized certifications: CompTIA A+, Network+, and Security+. This was something that I definitely couldn't have done without the whole experience of learning how to learn in college, because all of those certification studies were done independently from the rest of the cohort.

The Academy also encouraged us to network and meet new people throughout the company. We were expected to meet a minimum of one new person per week. Because of this, I had no hesitation in reaching out to leadership in the cyber org.

It worked out perfectly that they were ready to hire an engineer right at the time that I was finishing up in the Academy.

"Were you afraid to leave the academy?

The only thing I was nervous about was that I didn't know enough, and because of that, I wouldn't be respected, trusted, or believed etc. And this was partially true. I started out feeling like I knew nothing. I worked on another certification during the first several months of my new role, the AWS Security Specialty Certification, but even that didn't prepare me for calls with customers that my practice lead would take, and I would just be a fly on the wall. 

"What worried you the most about taking this role (as a Cloud Security Engineer)?"

I worried mostly that I was taking too long to gather all the knowledge I needed. It took me a little while to fully understand that it's normal to feel so far behind when you're just starting out. It sounds obvious now that I'm writing it down, but in the moment, I felt like I needed to become an expert within a year. You can't learn how to build a rocket in a month. You can't expect to be a cybersecurity expert either. We have an industry term, SME (Subject matter expert), that we use to describe a person who is just extremely knowledgeable about whatever subject they specialize in. That is what I'm striving for. The reality is, I won't get there for another 5-10 years unless I choose to specialize in a very small subject, but what's the fun in that?

It takes a long time to master a subject, but while you're in the thick of it and you're fully engaged in learning and then wanting to learn more, it's difficult to look back and think about how much you've actually retained and how much more you understand today than you did a couple of months ago.

"How have you been humbled along your journey, so far?"

I find new ways to humble myself every day. One notable mistake I made was not putting enough effort into staying up to date on what was going on around me. I spent too much time with my head down, focused on my studies. Lately, I've spent a lot more time reading the news, seeing what other teams are working on, and talking to colleagues. This has proved to be a much more valuable use of my time. Of course, I still carve out time specifically to study for my next certification, but that isn't as valuable to my current role. Although they do help. Certifications give those of us who haven't had 15 years of experience in 10 different roles the background knowledge that we need. I've also been asking for help from my practice lead/mentor a lot more. We will go through different technologies and how they work together, and situations that he's seen in his past roles and from customers who have come to us for help. 

"Do you have any advice for others following this career path, specifically women?"

Don't let the stereotyping hold you back! Being a woman in technology, especially a woman in cyber, has a lot of preconceived notions tied to it, and I feel like those can hold a lot of people back from ever trying. As I said before, I saw it as a challenge when I first started working here, but it was not as much of a battle as I thought it would be. I cannot speak for every woman's experience in this industry, but a lot of it boils down to who you're working with individually, not the entire industry. I'm lucky enough to be surrounded by people who want to see me succeed. I do often stand out because of my gender and my age, but it's not a bad thing to stand out sometimes.

 Post-Customer Engagement Q&A

"Describe an early confidence booster."

One of the first big moments when I realized that I was making a lot of progress was a presentation that I took the lead on for our internal Global Cyber Org. I presented the results of a project we worked on from beginning to end, talking about the research that we did and the opinions that we drew from that research. My practice lead told me that after this presentation would be a turning moment for me and my confidence, and I thought, yeah, sure. But it really was. Not only was it an accomplishment for me to lead a presentation like that to such a large group, but I also realized afterward that I had just taught something new to 30+ people who had up to 30 years more experience than I do. It was a good feeling.

"What lessons have you learned?"

To be completely honest, I have learned a lot about cyber and about technology, but a lot of what I've learned has made me skeptical about it all. For obvious reasons, including the sensitivity of these machines that we trust with all our personal information, and the rate at which those machines are being breached. But what surprises me the most is the industry itself. Here is the trend I've noticed: we keep pushing out new, exciting security tools as fast as possible, but all of that is based on buzz words – what's the hottest new trend? How do we stay relevant? Are we "thinking out of the box"? Pushing out these new tools is great. Security should keep expanding and opening new doors. But once this next big tool is out on the market, our customers might put all their energy into that and forget about the basic security necessities like implementing MFA. Look at the recent Snowflake breach. Hundreds of their customers had data stolen, but it was only the customers who failed to require MFA for logins. Security is much simpler than it sometimes seems. It's a huge battle of money vs. effectiveness. Vendors want to sell; customers want to get the next big thing. Why don't we all just slow down?

"Looking back to the choice you had to make coming out of the Academy, choosing Cyber or another field, would you make the same choice?"

I do plan to stay in cyber, but it's much different from what I expected. I think it's made me take a more critical look at various parts of life – normally, I love to have a positive attitude, I want to look at everything with an optimistic outlook, but that's not always reality. There are times when you must look at whatever situation you're in with a skeptical viewpoint to understand what's wrong and try to make it better. So, while it's different from what I expected, I would make the same choice.

"What is next for you?"

My plan for the future is really to continue building and growing. I am taking the path that I want to be on; I don't anticipate making any major changes. Although I know that I have a lot of room for growth. Whether that is in my technical knowledge, public speaking, professional presence, or whatever else, I plan to be the person I am now, but better.

"We've talked a lot about what is next after mastering cloud security. What are your thoughts about that step?"

I would like to move to a different area of security, such as data, identity, and application security, and master that. I will continue to gain knowledge on a bunch of different areas of security to have a more well-rounded skill set. Ultimately, I'll become an architect, then I'll figure out the rest.

 Conclusion

Those most successful in a Cyber career are "called" to service. In many ways, Cyber Security is a ministry, requiring hours of preparation, continued sacrifice, and working with people along their journey towards better security. It is not a career choice that should be taken lightly and is not for the faint of heart.

Many can learn the technical principles. Few understand how to mesh those principles together into an approach that satisfies business requirements. And even fewer can apply that approach in a manner that meets policy with the fortitude to maintain compliance through requirement changes and architecture adjustments.

Our industry no longer has the ability to organically train seasoned IT experts and promote them to Cyber roles, and frankly, if we did, we no longer have the time. We must strengthen our approach when recruiting talent to include evaluating a candidate's values and philosophies. Not to ensure they align with corporate values and customs; instead, they need to be aligned with a value system that will remain constant.

The C-suite, along with their new ideas and policies, will come and go. Government parties and the regulations they push down will change with every election year. The buzzwords and marketing focus change by the week. As the most important job in IT, Cyber needs to ensure our next generation is resolute and steadfast against these transient influences and has a correctly calibrated internal compass.

Find those people and build a mentoring program around them. They will help restore faith in Cyber and assess and mitigate risk in a more meaningful and relevant manner than any AI could calculate.