A lot of media tells us we have a critical shortage of cybersecurity people and we need to train thousands more! There seems to be this idea that if we just get enough cybersecurity-focused people we'll be fine -- Cyber Warriors to the rescue! (You can stick "cyber" in front of anything at the moment and it's cool.)
Now, I won't for a second say we shouldn't have people focused on cyber, or that cyber-focused courses and degrees are a bad thing.
It's excellent we're upskilling professionals and broadening the base of those with cybersecurity knowledge -- because we do need to raise the collective awareness and understanding of this business critical risk -- but there are two considerations we need to talk about given the idea that we need thousands upon thousands of specially trained cybersecurity professionals added to the industry.
The first consideration for discussion is the idea that good cybersecurity people will only come with a cybersecurity degree. A large number of people I know (many of whom I consider to be the best of the best) got into cyber by accident -- or at least by a less-than-obvious path.
Personally, I got into computer security (as it was known) by accident. All I wanted to do was program supercomputers -- anything with lots of complicated silicon -- so I joined Defence Signals Directorate (now Australian Signals Directorate) along with a number of other graduates and was promptly allocated to the computer security team. This was puzzling and not on my masterplan, but it turned out I'd done some IT and mathematics courses at university that were quite useful in thinking through security problems.
Fast forward a few years and I am terribly grateful for that turn of fate. But the point is, I had an IT degree that had absolutely nothing related to IT security in it but which has turned out to be a bedrock for my cybersecurity career. The concepts and ideas I learned from a pure IT degree adapted nicely into security.
Before you tell me "but that was 20 years ago, there was no good cyber training" let me add that in the industry we've got linguists, engineers, IT people, arts graduates, communication experts, and the list goes on.
And it's that very range of backgrounds that makes them awesome. Cyber is not something restricted to a small range of geeks -- it's a multi-dimensional beast that needs all sorts of expertise for us to succeed. Linguists often make fantastic analysts -- they understand different cultures and how people think. Communications people know how to influence people and get them to think about cyber.
The important thing is the passion and the interest. Just give me a curious person who loves security. We can teach them the rest.
The second consideration for discussion is the idea that if we just have thousands of highly-trained people focused on cyber (and nothing else) we'll be fine. I'd actually go the other way. I'd suggest we need lots of people focused on their day job, whatever it might be, who have an appropriate level training in cybersecurity. You're a programmer? Make sure you code securely. You administer systems? Make sure you know how to secure them. You're a lawyer? Understand how the cyber world is impacting legislation. You're a manager? Understand the risks you manage. I can go on ...
Can you imagine how powerful it would be if everyone had an appropriate level of training in cyber? The right thinking would permeate everything we do!
So let's broaden our thinking when it comes to training thousands upon thousands of cyber warriors. Sure we need some -- and I like the degrees and research I'm seeing -- but let's also recognise that we need a level of cyber education in far wider areas than the dedicated cyber professionals. I'd even suggest it needs to start in schools.