I see a different gap from here!
Every goddamned time I break my vow to prioritize my mental well-being and my eyeballs by going on LinkedIn, I need to take a thousand deep breaths whenever I see a vCISO spouting bullshit about a talent gap in cybersecurity. When I come to after passing out, I stumble upon a write for us for free "Expert Answers" with some neat suggestions to close this non-existent gap: continuous training, mentoring, certifications, aligning curricula to industry needs, and all sorts of well intentioned platitudes that won't solve the problems that do exist, let alone the imaginary problem of "not enough qualified people." It'll get you some likes, though.
Here's what actually happens: a bunch of people who don't know what they're doing floods the market after going through some bullshit bootcamp, and think they'll land a fancy 7-figure FAANG job in five minutes because they managed to read the nmap manpage. These folks think that because the entities providing this "continuous training" you keep talking about are also full of shit, and will overpromise and underdeliver. Like software development bootcamps. Or data science bootcamps. Or any kind of magic training that promises you'll be a fucking 10x anything in 6 to 8 weeks. That, super chiefs, is impossible. I've been doing this shit for decades and I don't even know what I don't know.
Another issue is the absolute lack of foundational knowledge. Simple stuff: networking, access controls, risk management, encryption, etc. I know many people who don't understand how computers compute, for fuck's sake. "Uhhhh. What is a register?" cannot be something a cybersecurity professional says. You must understand things, and figure out how those things apply to the other things you're doing. You need to think. And that's where the gap lies: if you can't operate unless the answer to your problem is in the form of a multiple-choice question, you need to go back to the beginning and start over.
But how the fuck does the market get flooded with test takers who cannot think? Well, good buddy, we arrive at yet another gap: the gap between people who know how to hire and those who don't. And that's an easy one to spot. Every single job description that requires some sort of certification must be treated with suspicion. Demanding a certification usually means that you don't know what you want, and you're just outsourcing your thinking to someone else. The problem is that this someone else is also unable to measure anything beyond one's ability to sit down and click on some ridiculous questions. It's like buying wine: if you don't know anything about wine, you might assume the $500 bottle is inherently better than the $30 bottle. Now, if you ask any French person whether that's a good way to measure the quality of wine, they'll call you stupid, and tell you that you deserve to be separated from your money. In no uncertain terms: holding a CISSP means nothing in itself.
And that brings me to another gap. The gap between people who are willing to learn and those who leave the bootcamp and think "that's about it, GG. EZ." To those people silly things like context, nuance, and using the right tools for the job are just a big waste of time. Why think about something when you can throw money at any given problem? I shit you not: I know a lot of extremely talented professionals who offer their time to mentor other people and no one takes advantage of that. It's a damn shame, but that's in line with the "that's about it, GG. EZ." crowd.
I can hear you bitching under your breath: "Cool. But what are you doing about it?" Well, we have a very nice community with over 600 peeps who are willing to learn, teach, share, support each other, and just shoot the shit. If you're hiring, come on over and I guarantee you that you'll find some good candidates in a matter of minutes. If you're in or into cybersecurity, and feeling alone and lost, come on over, too. Newbies, veterans, and everything in between: you are more than welcome to join us. There's no gap, just a bunch of assholes.
- Previous: Maybe... Try Not To Suck?
- Next: Cranks On Security