Evidently security as an industry does a crappy job at generating interest within kids today. How are we going to fill the massive skills gap we face, if we can’t get students interested in security from an early age. Right? RIGHT?
No. Wrong. Incorrect. False. And every other negative word I can think of to describe how bad an idea it is to try to get kids excited about security early on. Not that we don’t have a massive skills gap. We do. Not that we shouldn’t be doing more to educate kids about security. We need to do that too. But I have seen far too many young people flock to security because of the sheer number of job opportunities. They aren’t with us long.
In fact they hate it. They get seduced by the siren call of good vs. bad. Of fighting attackers and outsmarting adversaries. And then they learn what security is really about. How most of the time the bad guys are long gone by the time you find out and this happened. About the joys of making firewall changes and patching systems in the middle of the night. As they advance, maybe they learn the fandango you need to dance with senior management and the auditors.
Selling young people an idealized vision of security doesn’t do anyone any good. It sets a false expectation and creates disappointment.
That doesn’t mean I think we can just hope young people of the right personality type and talent magically end up in security. Hope is not a strategy. We should be espousing the cool things young people can do in technology. Especially young girls – the gender gap is obvious and needs to be addressed. In order to do security effectively, you need a deep understanding of technology anyway. Let them start there. And then, if they have the competence and personality to do security, grab them.
I was facilitating a roundtable of CISOs earlier this week, and one of them talked about how much success he has had with interns. We all wondered where he found them and which program produced the most capable candidates. He said he doesn’t deal with the interns initially. He gets to know them once they start their internship. He spends time with the high potential folks and tells them the real deal about security. And a portion of them are interested and he hires them when he can. It works.
But glamorizing an unglamorous job will not help us. It just puts you in a position where you have to train a bunch of folks, only to have them later realize security isn’t for them.
Photo credit: “I hate my job” originally uploaded by Mike Monteiro
Reader interactions
2 Replies to “Reality Check for Millennials Looking at Security”
I agree in spirit but disagree with some of the substance. What you describe shouldn’t be the guts of a security job. Patching servers, making firewall changes, etc, are IT jobs. Sure, they focus on the parts of IT most related to parts of security, but the 80% job of security lies elsewhere.
We should be raising a generation of security staff who understand business more than technology, and we should be raising a generation of IT admins who understand that security is a core part of their job too. Security people need to be analytic, need to have the ability to see a big picture and need to know how to communicate across diverse audiences. This is an exciting field and one which should be very attractive.
And for some, IT work is rewarding. But we have to get out of the mindset that security is a technology job.
I feel pretty strongly on this subject, and often get the, “how do I break into security” question from millennials. I always advise them that security isn’t an entry-level field. You shouldn’t try to “break into it”. You need proficiency somewhere else first. I suggest finding some area of IT for them to start their career first, and then plan a move into security 3-8 years down the road. Until then, do it as a hobby, not a job, to get a feel for what you like in security, and form a career plan that gets you there.
The bottom line, in my opinion, is that without IT, information security doesn’t exist. It is a layer on top. If you haven’t done IT, you’re not going to have the perspective, experience or skills necessary to be good in security, or enjoy it.