The Invisible Profession

Book Review:  The Industries of the Future by Alec Ross

A friend of mine suggested this book and I’m really glad she did.  I try to keep up on world events but I had no idea, for example, what Estonia was up to, becoming “one of the most innovative countries in the world today,” and how Estonia was doing it, “… as one of the world’s leading centers of innovation.”   This is just one example, I have a list of people and organizations to watch from this book that I’d never heard of before.

And it’s impossible for me, as a woman, to not appreciate Mr. Ross’s stand on repressive political systems, especially those that prevent women from taking their places as equals in the public domain.  He predicts that those countries will continue to fall behind economically.  (Although the toll this takes on human lives isn’t a comforting thought.)

But where I would most like to comment, and probably the only sector where I’m qualified to do so, is in his prognostication about cybersecurity.  In his Chapter, The Weaponization of Code, specifically in the section called, Clandestine Operations:  Even the Spooks are Scared, he quotes Jim Gosler.  After establishing Jim’s CIA credentials and listing his honors and medals, Alec quotes him as saying, “There are about one thousand security people in the US who have the specialized security skills to operate effectively in cyberspace.”

Whoah, what?

What about the tens of thousands of us who work in this industry now?  (Probably hundreds of thousands worldwide.)

Could cyberspace mean something different to them than what it means to me?  I check online definitions, and the common one seems to be what I know, the environment in which computers communicate with each other.  But isn’t protecting that what we’ve been doing since the day the first firewall was installed?  Over the years through my volunteer work in ISSA New England, it’s likely that I personally have known over one thousand people qualified to operate in cyberspace.  While Boston is an important part of the professional landscape, it’s still just one piece of a very large pie.

Maybe they mean that special skills are needed for the latest international threats?  That’s a security professional’s life.  Just when you get controls in place for one kind of problem, new technology introduces completely new risks.  (And, I might add, organizations like ISSA are where we keep up with these challenges.)

No, I think this is just the same lament that I’ve heard for a generation now, the need for information security professionals is never big enough to meet the demand.  They say.

It was this sentiment, the siren call that pulled me in – I could do that, I could be good at it – that started me studying for security certification, almost twenty years ago now.  Then, in spite of my years of responsibility for networks and network based applications like e-mail, the only job I could find was with a vendor, selling product, not as a practitioner.  It was a start.

Having had second thoughts myself through the years and having watched people join and then leave this profession, especially women who hover at only about ten percent of us, I do not think it’s a problem of enough minds or even a problem of enough trained minds. And it’s definitely not a problem with interest or motivation; many of the people who leave information security jobs still come to Association meetings, hoping to find their next one in the industry.

I suspect a bigger problem on the demand side.  We haven’t established the parameters for success.  The buyers, potential employers, want known quantities, formulaic talent to compensate for this.  We end up with an endless shuffling of discontent on both the buyer and seller sides that goes right up to the senior level of our industry.  You can check this by using any major search engine and terms like “CISO turnover”; we’ve been talking about this for years.

And an industry that cannot keep its most senior staff in place will always have problems building and maintaining the teams who support them.

I wish I could list, here and now, with simple coherence, the problems that my profession has to solve to be effective and to keep the people we’ve trained in jobs.  I can’t.  I do offer some thoughts in the fictional hacker novel that I’m writing.  If it ever makes it to publication, the readers can tell me if it’s on target.

So what would I tell Alec Ross?  Don’t rely on the word of spokesmen.  Talk to some of the failures, the people who moved on in frustration or who worked for companies who were hacked.  We are obviously and endlessly repeating failure, in people and in practice.  The headlines will tell you.  You may have to have your conversations off the record; most of us live under confidentiality agreements, present and past.  We care enough about our work to discuss problems only when it won’t hurt the people who employ us.

Alec Ross’s book makes thoughtful prophecies about future industries:  robotics, genetics, money, political systems, as well as big data and the weaponization of code.  It struck me that all of these industries have fundamental problems relating to our safety or our privacy that need to be dealt with as they evolve.   This is a thread that runs throughout his book.

They may be invisible, but the number of people with some skill and training in security is legion.  There is an even larger pool of people with interest, who could be quickly trained, or re-trained if their skills are rusty or focused in the wrong area.  Ruling that out as THE problem might help us figure out what’s really wrong and make it right.