From the Desk of Terence Kam

Share this post

From the Desk of Terence Kam
From the Desk of Terence Kam
Why 'dead bodies' of cybersecurity victims will pile up faster?
Copy link
Facebook
Email
Notes
More

Why 'dead bodies' of cybersecurity victims will pile up faster?

The reason is because the demand-side of the cybersecurity skills 'market' is broken

Terence Kam
Sep 03, 2022
2

Share this post

From the Desk of Terence Kam
From the Desk of Terence Kam
Why 'dead bodies' of cybersecurity victims will pile up faster?
Copy link
Facebook
Email
Notes
More
5
Share

It is no secret that there is a cybersecurity skills shortage all over the world. In fact, this shortage is often described as a ‘crisis’.

But the response to this crisis is always to deal with the supply side of the issue. Nobody is thinking about approaching the problem from the demand side. For example, the government is holding a Jobs and Skills Summit in Australia. All the solutions are from the supply side, of which training and immigration are the most often mentioned ones.

From the Desk of Terence Kam is a reader-supported publication. To receive new posts and support my work, consider becoming a paid subscriber.

Demand side dysfunction

In cybersecurity (and in the wider tech industry), the demand side of the problem is especially acute. This 2019 report mentioned that cybersecurity graduates, despite having skills in high demand, faced difficulties in finding employment:

However, it will take time before this pipeline of graduates is ready to enter the workforce, and even then they may face obstacles because of outdated hiring practices.

In that report, it cited a survey,

In addition, there are signs that employers’ hiring practices may be exacerbating the lack of skilled workers. For instance, two-thirds of information and cyber security professionals surveyed by the Australian Information Security Association in 2016 cited management’s failure to understand skills requirements as a key driver of the current cyber skills shortage, while just over half said employers were reluctant to recruit and train entry-level candidates for cyber security roles.

A CISO explained,

‘HR writes position descriptions based on things that they know how to assess, like qualifications and experience. The new cyber security workforce doesn’t yet have these qualifications or experience.’ CISO, large Australian company.

This report is consistent with what I wrote here about the utter mindlessness of how recruitment processes actually work:

That is why the job market is so brutal. The hiring process is done this way because it is convenient and cheap, not because it produces the best outcome for both the company and the candidate.

As I explained further here, the outcome of such widespread dysfunctional hiring practice is this:

… companies are only looking for those with the exact configuration of previous experiences to fill vacancies. This implies that companies are hiring people who are trained and experienced at others’ expense. There is widespread reluctance to invest in the skills, training and development of both existing and new staff.

This hiring culture betrays an underlying selfish motivation. If companies invest in developing their staff, then when these staffs are poached by others, then they are, in effect, subsidising the training and development of staff for other companies. Therefore, companies are adopting the attitude of NOT training their staff. Why invest in training and developing their staffs’ skills, only for them to be poached by other companies, who will then enjoy the fruits of their investment? Therefore, companies would rather be the ones poaching other companies’ staff.

Unfortunately, this widespread practice results in a chronic under-investment in skills, training and development in the economy.

In the context of cybersecurity, the outcome is that the skills shortage crisis is being exacerbated by cheap, convenient and expedient hiring practices that are worse than ineffective- they make the skills shortage problem even more acute. Such hiring practices are counter-productive to solving the skills shortage crisis.

What organisations need to do instead is to upskill from within. As Ben Rothke wrote here,

Israel Bryski is a veteran CISO at an investment firm in New York City. He says that “firms should organically grow and cross-train their IT staff into security professionals. Many IT people are more than eager to enter information security. Creating an internal program to mentor and train them is a long-term, but highly effective approach.

Example of dysfunctional hiring practice

There are some signs that hiring practices have degenrated into a farce. This is what I saw on LinkedIn:

Personally, I was approached by a cybersecurity recruitment agent who confessed to me that she had no idea what the job requirement meant.

To make matters worse, businesses and governments automate their dysfunctional hiring process with mindless software algorithms. As this Wall Street Journal article reported,

Companies Need More Workers. Why Do They Reject Millions of Résumés?

Automated-hiring systems are excluding many people from job discussions at a time when additional employees are desperately needed.

And so, this leads to the magnification and scaling up of farcical hiring processes.

Is cybersecurity skills shortage a myth?

The dysfunction in the demand side of the skills shortage is so bad that there are now push-backs from the grassroots levels. There is now a registered non-profit organisation, Cybersecurity Gatebreakers, that is formed to deal with this problem:

The cybersecurity skills gap is a myth.

There are tens of thousands of bright, passionate, and high-potential people around the world, hoping desperately to break into cybersecurity. But there is no room for them; most “entry-level” job openings require years of experience, formal technical education, and a litany of professional certifications.

But why is this?

Certainly there is entry-level work in cybersecurity. You don’t NEED five years of experience, a college degree, or a CISSP to do many of the basic tasks found in cybersecurity. This is true across almost every domain, subdomain, and speciality within cybersecurity.

Demand for cybersecurity skills is asking for a mathematical impossibility

As I mentioned before in this article,

In this Information Age, changes are happening at an accelerating rate. There will always be new processes, new technology, new software, new hardware and new information coming in.

The work that you do will always be changing. Your experience will grow along with your work, even in the absence of training and development by your employer.

But there is one problem.

The specific configuration of experiences you gain will be unique to your company only. Since no two companies are identical, no two people with the same job title in different companies will have an identical configuration of experiences. In other words, you, along with many others, have become a unicorn.

This is especially true for technology workers.

Let me quantify the level of uniqueness of modern technology workers. In cybersecurity alone, there are 3,500 different specialisations. Let’s say in a typical cybersecurity job, employers are looking for experience in 5 different specialisations. How many permutations and combinations of 5 specialisations can you get from 3500 specialisations? Using this Excel formula, COMBIN(3500,5), I get 4,364 trillion! If I am looking for only 2 specialisations, the number of permutations and combinations drops down to 6.1 million.

In typical technology job postings, it is common to see employers demanding several to a dozen specialisations. For a dozen specialisations, this is the number of permutations and combinations:

6,922,787,977,494,940,000,000,000,000,000,000

Of course, these numbers are just the theoretical upper limits. In reality, they will be very much smaller. But they will still be relatively large. So, no matter how you cut it, the demand for cybersecurity skills has reached a mathematical impossibility. That is the real reason why there is a skills '‘shortage’ in cybersecurity (and technology in general). The demand cannot be filled by supply globally. It is a mathematical impossibility.

Unless something is done on the demand side to consolidate the number of specialisations to a realistically manageable number, cybersecurity skills shortage will continue to be a global issue.

Why are cybersecurity professionals resigning and leaving the industry?

In the cybersecurity industry, there are serious difficulties in getting enough skilled workers. This problem is going to get worse because a large proportion of those skilled workers intend to resign. As this ZDNet article reported,

Cybersecurity leaders are anticipating mass resignations within the year - here's why

The growing threat of attacks combined with industry skill gaps is leading to sky-high burnout rates among cybersecurity professionals.

Other reports of mental health crisis among cybersecurity professionals include:

  • Cyber professionals say industry urgently needs to confront mental health crisis

  • Burnout among cybersecurity teams driving data breaches: survey

As cybersecurity professionals resign, they will pass on their existing workloads to their colleagues who are left behind. This increases the burden on those colleagues, who will then accelerate their burnout rate. That in turn will induce them to resign too, which in turn will pass on the burden to fewer and fewer cybersecurity professionals.

The problem is so bad that this organisation is set up to combat this problem: CyberMindz.

Why are cybersecurity professionals burning out?

The reason is overwork.

Why are they overworked?

The main reason is the nature of the problem that the cybersecurity industry is trying to solve. As I wrote in What do cybersecurity and the Great Wall of China have in common?

Cybersecurity has a similar problem to the Great Wall of China. The nature of the problem favours the attackers disproportionately much more than the defenders.

…

As we all know, there is a severe shortage of cybersecurity professionals. The defenders of the Great Wall of China needed to dwarf the number of attackers to be effective. The Ming dynasty had to deploy a colossal army of 1 million to do that job. But in cybersecurity, we are nowhere near the relative number of professionals required to defend against attackers.

The death spiral of the cybersecurity industry

You would expect that this will increase the urgency to hire new entrants into the cybersecurity profession right? Unfortunately, the existence of the Cybersecurity Gatebreakers foundation shows that the cybersecurity gatekeepers are not budging.

As I wrote in In cybersecurity, we are fighting like the Japanese and losing, we are repeating the same mistake that the Japanese made during World War 2. And we know that the Japanese lost the war. In the same war, our cybersecurity industry is going to lose to its adversaries- cybercriminals and hostile nation-states.

In other words, the cybersecurity industry is in a death spiral.

That’s where more dead bodies are going to pile up faster

Remember those “tens of thousands of bright, passionate, and high-potential people around the world” mentioned by the Cybersecurity Gatebreakers foundation?

These people, although being rejected by the cybersecurity job market, have the skills to be hackers and cybercriminals. In fact, I saw this meme in this Reddit forum:

By not resolving the demand side of the problem, the frustration of these talented and passionate individuals can only grow. The temptation to go over to the dark side can only increase. After all, cybercrime is a good ‘business’. Even if these individuals do not want to commit cybercrimes directly, cybercrime is now an ‘industry’ of its own, with various levels of division of labour and specialisation. These individuals will be tempted to provide grey ancillary services to whoever is the highest bidder, who may be the real cybercriminals and hostile nation-states.

This means that as the cybersecurity industry falls into a death spiral, the cybercrime ‘industry’ will experience corresponding growth. This can only mean one thing: there will be more victims of cybercrime and hacking. In the end, all of us will eventually pay a price for not resolving this problem.

From the Desk of Terence Kam is a reader-supported publication. To receive new posts and support my work, consider becoming a paid subscriber.

2

Share this post

From the Desk of Terence Kam
From the Desk of Terence Kam
Why 'dead bodies' of cybersecurity victims will pile up faster?
Copy link
Facebook
Email
Notes
More
5
Share

Discussion about this post

Terence Kam
Oct 16

Another article about cybersecurity burnout crisis: https://www.forbes.com/sites/tonybradley/2024/10/15/the-cybersecurity-burnout-crisis-is-reaching-the-breaking-point/

Expand full comment
Reply
Share
Terence Kam
Mar 7

“Disgruntled cybersecurity workers, including code developers and AI experts, are offering their services on the dark web for extra cash. On top of that, other professions whose work may have been jeopardized by machine learning are also hiring themselves out to criminals.

What’s more, if the problem is not addressed by better salaries and working conditions, the cybersecurity industry could risk losing as many as one in ten workers to cybercrime.

The stark warning comes from the Chartered Institute of Information Security (CIISec), which trawled the dark web and found some alarming advertisements put up there by seasoned cybersecurity professionals.”

https://cybernews.com/news/cyber-workers-turning-to-crime/

Expand full comment
Reply
Share
3 more comments...

No posts

Ready for more?

© 2024 Terence Kam
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More