In cybersecurity, we are fighting like the Japanese and losing
We are repeating the same mistake that the Japanese made during WW2
It is well known that there is a skills shortage crisis in cybersecurity. And it is no secret that cybersecurity professionals are burning out and seeking to leave the industry. Therefore, this follows that the skills shortage crisis will get worse, with implications on national security and resilience.
What needs to be done to solve this problem?
To answer this question, we will go back in time to the fighting in the Pacific during World War 2...
In 1941, the Japanese had an elite cadre of aircraft-carrier aviators. They were an excellent bunch of professionals, flying the invincibly famous Zero fighters planes. Indeed, they walloped the Americans at Peal Habour and scored victory after victory in the aftermath.
But the Japanese had an Achilles Heel in their strategy- they did not value the lives of their elite aviators.
Firstly, the Zero fighters seemed invincible because it was extremely light. It was extremely light because it lacked armour and self-sealing fuel tanks. A well-aimed shot at the right place on the Zero fighter could easily turn it into an inferno. Secondly, they used and re-used their elite aviators in battles repeatedly, which means their numbers dwindled as the war progressed. Since it took an awfully long time to train up elite aviators, the Japanese were not able to replace the battle losses in time. Consequently, as the war progressed, they had a larger and larger proportion of poor and inexperienced aviators. By the end of the war, the quality of their aviators was abysmal, compared to their American counterparts.
The Americans had a different strategy. Instead of producing a small number of excellent aviators, they had a plan to churn out large numbers of good aviators continuously. The Americans took care not to re-use their aviators in battles excessively. In fact, they deliberately withdrew their experienced aviators from the frontlines and used them to train up their raw recruit aviators back at home. By doing it this way, they passed on their valuable battlefield experiences to their rookie aviators.
The American approach meant that they had a steady supply of good aviators who became better over time. The Japanese approach, on the other hand, meant that they had a dwindling supply of excellent aviators that were increasingly replaced by poor ones. In other words, as the war dragged on, the quality and quantity of Japanese aviators deteriorated while the opposite was true for the Americans.
Today, when it comes to cybersecurity, we are making the same mistake as the Japanese. We have an excellent cadre of cybersecurity professionals. But we are over-using them too much, resulting in burnout, and health and mental health issues. A significant portion of them wants to leave the industry, thus exacerbating the skills shortage crisis. At the same time, we are not training enough cybersecurity professionals to replace the ones lost through attrition. I heard that a cybersecurity professional takes about a decade to train, presumably to the same excellent standards as the existing ones. Also, it did not help that organisations insist on only hiring excellent and experienced cybersecurity professionals from the same dwindling pool. For example, there are reports of so-called 'entry-level' cybersecurity jobs requiring 5 years of experience.
So, unless we have a plan to mobilise the training of a large number of good cybersecurity professionals instead of over-using our elite cadre of existing ones, we are heading in the wrong direction. This will have consequences on our national resilience and security.