There is a mantra going around whose murmurs can be heard at the edges of our industry like the slow chant of dangerous natives closing in on the out maneuvered explorers...
"Anyone can do cyber!"
Some out there will disagree (there are always some), but I take issue with this statement. The field of cyber security is not an easy field in which to enter, work, or become a professional. It takes a certain mindset to do this kind of work well. So, I cannot get on board with the slogan that anyone can do cyber. However, I will agree that cyber professionals can come from almost any background. As a cyber security instructor over the past 5 years, I have had the pleasure to teach waiters/waitresses, bar tenders, baristas, EMTs, men and women from every military career field imaginable, home makers, realtors, and too many more to list. With very few exceptions, these people have gone on to become cyber professionals in their own right, and demonstrate my point clearly; that cyber professionals can come from almost any background. In that same vein, I have seen countless cases of IT professionals who wanted to, "get into cyber for the money," and have failed miserably at understanding even the most mundane of cyber concepts.
A similar mantra or claim has been made (in a Pixar film about a rat, but you'll get the point in a moment) about cooking. "Anyone can cook." Again, I've met people in my life that can burn water. While they are capable of "cooking" in some sense of the word, I wouldn't want them working in the kitchen of a restaurant in which I'm dining. It takes a certain mentality to become a masterful chef or successful cook. People with this mentality can come from any walk of life, but the idea remains the same as above; some people can cook, others can't, their previous work experience has little to no bearing on their ability to learn to cook well (unless they've already been doing it professionally for some time).
We have to stop automatically assuming that we're going to fill the cyber workforce gap by just throwing sheer numbers of untrained, unqualified people at the problem. Cyber professionals are needed across every industry vertical at every skill level imaginable, but if we are hiring people who don't have the right mindset, we're failing our customers, our company, and the person being hired. We as an industry have to begin doing a better job of identifying those who have the right mindset/mentality for doing the cyber work we need done, and hiring those people instead, regardless of their background. We need to stop relying on some "unicorn" standard of what a cyber person should have on their resume, and, instead, begin looking for ways of assessing whether they will be able to do the job we want them to do for our organization, and whether they have the potential to perform above that level in the future. How do we assess this you ask? Alas, this will have to wait for another post.
One final note. Recently I've encountered a lot of people trying to work their way into the cyber industry who suffer from "imposter syndrome." They feel like they don't have the technical chops or won't ever understand the tech stack the way they need to in order to succeed in our industry. Let me smooth some ruffled feathers and calm some frayed nerves. Not everyone who works for a cyber company has to be a nerd like me. You know the one. Builds his own computers, still into D&D, loves DEFCON because these are his people, loves to play chess, hacks, pen tests, etc. If every person working in any given cyber company were like me, that company would fail in days (if not hours). I could never do the sales work that my sales teams do. I could never make those kinds of phone calls day after day, closing deals and getting the company the work that keeps the lights on. I could never market our company the way my marketing teams do. Advertising, office management, personnel/HR, finance, heck, the very business of running a business day-to-day all escape me. I am a nerd and I have a home here in my little cyber world as a professional because I have extensive experience in the technical stuff that I do every day. I have the ability to share that knowledge with others, which makes me successful (at least I hope I am) as a teacher of new, young, fresh cyber minds. But all those other skill sets have a place in the cyber community. So, if you're a sales person, a marketing and/or advertising person, a lawyer, an office manager, or even one hell of a janitor, there could be a place for you in a cyber company. A little understanding of our technical offerings may or may not better your ability to serve that cyber company, but we still need you. We need you just as much as we need cyber engineers, architects, and analysts. We just need different things from you. If you're already one of these people, I applaud you. I would not be living my best life as a nerdy cyber professional without you. If you're looking at getting into the cyber field and you have one of these backgrounds, remember that you don't have to be a complete cyber nerd with all the technical skills to fulfill a worthy role at a cyber company.
I am passionate about our field. I take personal ownership of every student and my efforts to help them succeed in this field. I am excited to see where we are in 10, 20, even 30 years. So, while I will not join the murmurs and slow chant of "Anyone can do Cyber!" I will say, cyber should be for everyone, and you are all welcome into my nerdy world.