What Is Cybersecurity, Anyway?

Another issue in our field is that many organizations seem to build security staffing requirements around a bachelor’s degree in computer science. It is possible that this was a good strategy once, but computer science degrees and security are increasingly mismatched, for several reasons. Most people in computer science programs want to write software. Furthermore, most computer science programs offer little material on security. This is partly because there is so much other material to cover, and partly because security knowledge isn’t yet a big part of the development careers that follow. DevSecOps continues to hold promise, and developers may, in time, begin to know and care about security, but we aren’t there yet. Our own intern, Katie Newbold, is a skilled coder with a bright career in front of her, but when she came to us, many basic security principles were new to her.

It’s clear that security is computer science-adjacent at best, in terms of both the body of knowledge and daily behaviors. A computer science graduate coming into security will not only have learned a lot of unnecessary information, but they will also have a lot of catching up to do. If nobody recognizes these gaps for what they are, the candidate can appear untalented or unmotivated.

Which Cybersecurity Are We Talking About?

Another problem is that security itself is a poorly defined body of knowledge. There are so many different skill sets that even veteran security experts often don’t see eye to eye about what a security professional should know and do. Our field encompasses such subdomains as malware analysis, penetration testing, code review, forensics, threat intelligence, risk assessment, compliance, cryptography, network monitoring, and incident response. It requires understanding of other domains, including software development, application architecture, information architecture, data visualization, law, basic business principles, and effective communication. It occasionally requires knowledge from fields like geopolitics, global economics, counterterrorism, behavioral psychology, and statistical methods.

No institution can effectively cover all of this in one shot, and the needs of a given organization will also be determined by its strategy, security architecture, and the hiring manager’s perspective. This means that even experienced people need to be willing to humble themselves and constantly gain new skills.

Thus, the degrees that tend to get hired in the field aren’t a great match, and the field itself is so resistant to categorization that only lifelong learners can write their own tickets. However, one thing marks the kinds of people who go on to do well in the field, and that is fundamental interest in the idea of security. If people have that, we can teach the rest. For that reason, we think that rather than looking for turnkey candidates, it’s better to cultivate the practical skill set among people who self-select as interested.

It’s Better to Grow Your Own Cybersecurity Experts

It can feel like a gamble to invest in unskilled but motivated candidates. It would be great if you could get a security genius off the shelf, but both the history and the direction of the field indicate the need to cultivate rather than purchase. The key to this is to test for passion first. For cybersecurity professionals, continual learning is part of the job. If they aren’t curious and motivated to do this, don’t bother going further. It will be a waste of their time and yours.

Conversely, if you find someone drawn to the field, then training them is a win for everyone—for you, for them, and for the organization. These people will go on to be more effective and significantly cheaper than the alternatives. We also need to emphasize that, in our experience, many of the best candidates will be from nontraditional backgrounds, and not just computer science students—self-taught, passionate hobbyists and code-school candidates have frequently shown themselves to be willing and able to learn and excel in our field.

Next: Care and Feeding of Your Future Expert

The commitment to cultivating raw talent into expertise is obviously a long-term one. Since these kinds of candidates don’t have the formal knowledge yet, they are going to need training and guidance in the beginning. With that in mind, part 2 on this topic will break down some of the most foundational cybersecurity skills. That way, organizations and newcomers to the field can plot their own trajectories and become the kind of defender that organizations really need.