It's a People Problem

I had the privilege of being invited to the Cyber Leadership Symposium organised by Lancaster University and Templar Executives. It was a great event, bringing together many of our best cyber security leaders from government, public service, industry and academia to engage with each other and with us mere mortals. I am far from being a cyber leader, though I think I may have been the oldest and longest serving in the field: being a family company focusses your ambition and perhaps limits it.

I had a few hidden agendas in attending.

First, we are working with four students from the Lancaster MSc in Cyber Security on projects that are basically my brain children: some might say my pet projects or even 'bees in my bonnet' - more about them in a later post; so this was a nice opportunity to chat with those students and with their tutors, which was enjoyable and rewarding.

Second, and perhaps because I have throughout my career worked with many students and new entrants to the profession, I have grown increasingly irritated by the unhelpful 'gatekeeping' that sees promising candidates not considered for 'entry level' posts because they lack 'experience'. How a post can be entry level but require experience escapes me - a logical contradiction - but I was interested  to hear what industry leaders thought about it and to talk with them on the subject.

'In my day' (as the old folks like to say), the gate was maths: you needed graduate or postgraduate level maths before people would consider you - if you couldn't do a Discrete Fourier Transform on paper you weren't worthy of consideration. That was as daft a measure then as it is now: for instance I worked in retraining analog TV engineers to work in digital - they couldn't do digital maths (at first) but boy did they know how to make TV pictures look good. (Thanks to the digital gatekeepers who kept them out of the profession for the abysmal quality of digital TV pictures nowadays...).

Maths isn't the gate now: if I say we can reduce the dimensionality of a huge attack vector database by treating it as a matrix and doing a matrix multiplication with a filter vector people look at me as if I'm speaking a foreign language and ask me if I'm doing it in Python or C - coding and tech are the new gates.

I think every speaker except one would have fallen at the maths or coding gates today: acknowledged, demonstrated cyber leaders at the top of their profession, almost every one had entered the field through what would now be considered an unorthodox route. And I'm pleased to say that all not only acknowledged this but stressed it: cyber is a fast evolving field and we need diverse and varied skill sets and backgrounds to help us address the new generation of issues - one thing we do know is that experience in the problems we already solved isn't the one key to tackling the new problems we don't yet know we are going to face.

One theme that emerged from the symposium was that cyber is a 'people problem': it's not solved by tech, which is just a tool that people can wield, to protect but also to attack. And just as cyber adversaries are, in the end, people, so we also need people - with agility, vision, interpersonal skills and leadership qualities to work well with other people - to help us protect against those adversaries. There's a reason that UML makes us draw little stick figures of people as the actors in Use Cases...

So if our cyber leaders all know that we need people of all backgrounds and skill sets, why do so many limit the scope of their recruitment by requiring technical skills? I don't know - it's always been that way: people tend to want people like themselves, 'more of the same', and true leadership perhaps lies in seeing that we want variety, challenge, diversity. But also it's easy, I think, to recruit that way: you draw up a 'Job Description' which includes a list of skills - technical skills being easy to specify and measure - and then you search CVs for those keywords. Maybe you call that keyword search 'Artificial Intelligence' and - bingo! - you can match CVs to Job Descriptions like a sort of Tinder for jobs. Except it works about as well as Tinder and you have to swipe left a lot.

It's harder to consider people as people: to talk to them, to talk with others who know them, to think how they might fit with your company's culture and needs, with the existing team, to consider whether your perceived needs might be adapted to fit the 'right' person - to match the person to the role, and the role to the person, not the CV to the job description.

And of course, in the huge organisations that the Cyber Leaders I had the privilege of talking with lead, they know this: and they work on it, with new entrant induction programs, apprenticeships, continued professional development programs, career paths, mentorship. But the problem, as I think they perceived just as well as I in my uninformed but opinionated way opined, lies in the supply chain: the chain of SMEs who are key to the success of the cyber security programmes of the primes, of the institutions and corporations - because they lack sometimes the vision, but more often the resources, to know how to find the right people, to develop them in their role, to mentor and support and progress them. So they advertise for people who can 'hit the ground running': well, I am a runner and I wrote a best selling book about it, and in my experience if you hit the ground running you are likely to fall over and injure yourself, so I don't recommend it.

So if we focus the issue down to where it arises - in the SME supply chain - then how can we address it? First, I would say the Cyber Leaders already are - they know, and they say more vociferously, that cyber recruitment is a people problem. I think - certainly from the pleasurable and insightful conversations I had with them at the Symposium - that they are happy to talk about it: understanding of the issue, and engagement with it, at the top of the SME is crucial and they can help with that. Maybe some have the resources to support their suppliers in improving it. I have a commercial idea to support this: but I don't run the family business any more, so watch this space in case I can convince the Boss...

I don't have a solution. But in my early days in this field some people started using the term 'Stupident' to refer to students - dismissive, rude, disrespectful gatekeeping. And though that term has thankfully fallen into deserved disuse, I think its sense persists - that students, new entrants, are somehow unskilled, unvalued, unworthy of consideration ... even for entry level posts ... undeserving of respect. And I can say, from my personal experience over nearly four decades of working with students and retrainees ... if we treat these people with respect .. treat them as people ... then we are more than halfway to resolving the 'people problem' we all face. Otherwise it's us who are the People Problem.


Popular posts from this blog

Wave Watching

Homeschool maths

Bread and cocktails