Our CTO John Castle-Anderson has shared his thoughts on the reasons why, and what we can do about it,
Look at typical job ads for security roles and you'll see they all follow the same mantra:
Junior roles requiring 15 years experience?
Have you got an alphabet soup of qualifications next to your email signature?
Have you got a unicorn level of skills and experience across wildly different fields?
This means that if you are new to the 'security' career path, or have aspirations to be, then you face a problem: an immediate upward climb and barriers that will at best be annoying, or worse, turn you away from the industry altogether, and roles that you might have excelled at.
You could view the current method for obtaining NCSCs Certified Cyber Professional specialism as another covert barrier to entry. This badge is popping up more and more for roles within HMG, but candidates must stump up thousands of pounds just to 'start' the process of obtaining it. Good luck to talented candidates suffering through the cost of living crisis.
What else drives me nuts: the high-horse elitist attitude of "I am a security professional and I know more than you". Those in IT security roles can suffer from conscious (or unconscious) bias, as their worth is judged on giving the exactly correct answers to the questions that Mr "I am a security professional" decides are important that week. These interactions can be combative and even hostile. Actually, no-one knows everything, so we should always reward those willing to learn!
The security workforce has well-publicised skills gaps and labour shortages, how much of that is caused by these legacy mindsets?
Job hunting in IT security is complicated enough as it is, even for seasoned individuals, so anyone taking their first steps needs extra support and understanding. There's no silver bullet as mindsets don't change overnight, but there is a better way of doing things. Employers, take note!
Support those who are willing to learn. There are an untold number of individuals without specific credentials, but with the mindset and capability to apply security concepts and excel. We have to allow them to learn and flourish on the job. They shouldn't need to have attended university, pass a security exam or regurgitate a CBK to get their foot on the ladder.
Don't mistake difference for weakness. The best security teams are comprised of individuals with a variety of skills, past experiences and capabilities. If you will only hire 'cookie-cutter' candidates, and dismiss those who don't fit the traditional mould out of hand, then you will miss out on creativity and problem-solving potential that could really benefit your organisation.
Change attitude and culture from the top. Look closely at those running your security, and the senior leaders above them. Every organisation is different, but some attitudes should always be called out; snobbery and alpha-type aggression are my special unfavourites.
Food for thought!
Want to know more?
Please do not hesitate to get in touch with our team!