Evidently security as an industry does a crappy job at generating interest within kids today. How are we going to fill the massive skills gap we face, if we can’t get students interested in security from an early age. Right? RIGHT?
No. Wrong. Incorrect. False. And every other negative word I can think of to describe how bad an idea it is to try to get kids excited about security early on. Not that we don’t have a massive skills gap. We do. Not that we shouldn’t be doing more to educate kids about security. We need to do that too. But I have seen far too many young people flock to security because of the sheer number of job opportunities. They aren’t with us long.
In fact they hate it. They get seduced by the siren call of good vs. bad. Of fighting attackers and outsmarting adversaries. And then they learn what security is really about. How most of the time the bad guys are long gone by the time you find out and this happened. About the joys of making firewall changes and patching systems in the middle of the night. As they advance, maybe they learn the fandango you need to dance with senior management and the auditors.
Selling young people an idealized vision of security doesn’t do anyone any good. It sets a false expectation and creates disappointment.
That doesn’t mean I think we can just hope young people of the right personality type and talent magically end up in security. Hope is not a strategy. We should be espousing the cool things young people can do in technology. Especially young girls – the gender gap is obvious and needs to be addressed. In order to do security effectively, you need a deep understanding of technology anyway. Let them start there. And then, if they have the competence and personality to do security, grab them.
I was facilitating a roundtable of CISOs earlier this week, and one of them talked about how much success he has had with interns. We all wondered where he found them and which program produced the most capable candidates. He said he doesn’t deal with the interns initially. He gets to know them once they start their internship. He spends time with the high potential folks and tells them the real deal about security. And a portion of them are interested and he hires them when he can. It works.
But glamorizing an unglamorous job will not help us. It just puts you in a position where you have to train a bunch of folks, only to have them later realize security isn’t for them.
Photo credit: “I hate my job” originally uploaded by Mike Monteiro