, 15 tweets, 3 min read Read on Twitter
Cybersecurity workforce development. A thread.

It is still somewhat frustrating that most of the dialog about the skills shortage in cybersecurity focuses, perhaps inevitably, on the all too simple answer of "let's create more cybersecurity professionals".

1/15
This is usually coupled with (often unsubstantiated) claims that there are millions of open cybersecurity positions. The answer, thus, becomes fixated on how do we create all those cybersecurity people - whatever a "cybersecurity person" is.

2/15
So, we call for more K-12 education programs, more University programs, more certificates etc. Now, I'm not denigrating these efforts and those involved (including me!) - they are laudable goals and do produce useful outcomes. But, sadly, risk missing the wider point.

3/15
Just as we talk about the need for secure products, not just security products, we also have to shift our perspective on people and say: we need the people we already have to be more productive - and we need more security minded people not just more security people. So....

4/15
1. Cyber-workforce productivity.

If we need 10x more cybersecurity people to fill all those roles, perhaps if we could 10x the productivity of the people we have then that should significantly address the issue.

5/15
Productivity isn't just about automation/orchestration - it can also be stopping doing things, aligning control mitigation practices across different IT risks, auto-configuring, embedding testing, and ensuring the right people do the right jobs matched to the right skills.

6/15
2. Embedding security responsibility in other teams.

The old cliche is true, security is everyone’s responsibility like other attributes of good systems - it's important to talk about this not as a throwaway line but actually hand off that responsibility/accountability.

7/15
Hand-off into SRE, DevOps, development and other teams and support them by developing tools and process to make this happen - to disaggregate responsibility and actions according to criticality and expertise required.

8/15
3. Embedding security training in other education programs.

As others have said, we need more security education in Computer Science and other engineering degrees and more coverage in MBA and other programs - not just security, but also quality/testing/measurement.

9/15
4. Cybersecurity is not the only technology/business risk.

There are many other substantial risks and actual losses caused by software errors, availability and capacity issues, and so on. Developing cyber-controls in a silo misses productivity/effectiveness opportunity.

10/15
Wrapping up.

Let's finish off with an analogy: the medical profession [when it works well]. Not everyone who wants to improve people’s health and well-being wants to or has to be a Doctor to be effective.

11/15
There are many roles requiring different skills, training and experience from (to name a few) nurse practitioners, radiologists, administrators, medical technicians, therapists, general practitioners, highly specialized surgeons through to medical research scientists.

12/15
The system (not to say this also can’t be improved significantly), is designed such that the right person with the right skills sees the patient at the right point in time - no more no less - optimized around the scarce resources.

13/15
Perhaps we should be aiming for something similar, different roles with different training requirements corresponding to the needs of that role, stacking the training so people can progress over time - but not "dismissing" them if they don’t want to progress further.

14/15
Making sure all the components of the system deliver the right outcome and progressively increase the productivity of each element through training, automation/tooling, adoption of new solutions and practices from research underpinned with codes of ethics/practice.

15/15
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Phil Venables
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!