It's a People Problem

I had the privilege of being invited to the Cyber Leadership Symposium organised by Lancaster University and Templar Executives. It was a great event, bringing together many of our best cyber security leaders from government, public service, industry and academia to engage with each other and with us mere mortals. I am far from being a cyber leader, though I think I may have been the oldest and longest serving in the field: being a family company focusses your ambition and perhaps limits it.

I had a few hidden agendas in attending.

First, we are working with four students from the Lancaster MSc in Cyber Security on projects that are basically my brain children: some might say my pet projects or even 'bees in my bonnet' - more about them in a later post; so this was a nice opportunity to chat with those students and with their tutors, which was enjoyable and rewarding.

Second, and perhaps because I have throughout my career worked with many students and new entrants to the profession, I have grown increasingly irritated by the unhelpful 'gatekeeping' that sees promising candidates not considered for 'entry level' posts because they lack 'experience'. How a post can be entry level but require experience escapes me - a logical contradiction - but I was interested  to hear what industry leaders thought about it and to talk with them on the subject.

'In my day' (as the old folks like to say), the gate was maths: you needed graduate or postgraduate level maths before people would consider you - if you couldn't do a Discrete Fourier Transform on paper you weren't worthy of consideration. That was as daft a measure then as it is now: for instance I worked in retraining analog TV engineers to work in digital - they couldn't do digital maths (at first) but boy did they know how to make TV pictures look good. (Thanks to the digital gatekeepers who kept them out of the profession for the abysmal quality of digital TV pictures nowadays...).

Maths isn't the gate now: if I say we can reduce the dimensionality of a huge attack vector database by treating it as a matrix and doing a matrix multiplication with a filter vector people look at me as if I'm speaking a foreign language and ask me if I'm doing it in Python or C - coding and tech are the new gates.

I think every speaker except one would have fallen at the maths or coding gates today: acknowledged, demonstrated cyber leaders at the top of their profession, almost every one had entered the field through what would now be considered an unorthodox route. And I'm pleased to say that all not only acknowledged this but stressed it: cyber is a fast evolving field and we need diverse and varied skill sets and backgrounds to help us address the new generation of issues - one thing we do know is that experience in the problems we already solved isn't the one key to tackling the new problems we don't yet know we are going to face.

One theme that emerged from the symposium was that cyber is a 'people problem': it's not solved by tech, which is just a tool that people can wield, to protect but also to attack. And just as cyber adversaries are, in the end, people, so we also need people - with agility, vision, interpersonal skills and leadership qualities to work well with other people - to help us protect against those adversaries. There's a reason that UML makes us draw little stick figures of people as the actors in Use Cases...

So if our cyber leaders all know that we need people of all backgrounds and skill sets, why do so many limit the scope of their recruitment by requiring technical skills? I don't know - it's always been that way: people tend to want people like themselves, 'more of the same', and true leadership perhaps lies in seeing that we want variety, challenge, diversity. But also it's easy, I think, to recruit that way: you draw up a 'Job Description' which includes a list of skills - technical skills being easy to specify and measure - and then you search CVs for those keywords. Maybe you call that keyword search 'Artificial Intelligence' and - bingo! - you can match CVs to Job Descriptions like a sort of Tinder for jobs. Except it works about as well as Tinder and you have to swipe left a lot.

It's harder to consider people as people: to talk to them, to talk with others who know them, to think how they might fit with your company's culture and needs, with the existing team, to consider whether your perceived needs might be adapted to fit the 'right' person - to match the person to the role, and the role to the person, not the CV to the job description.

And of course, in the huge organisations that the Cyber Leaders I had the privilege of talking with lead, they know this: and they work on it, with new entrant induction programs, apprenticeships, continued professional development programs, career paths, mentorship. But the problem, as I think they perceived just as well as I in my uninformed but opinionated way opined, lies in the supply chain: the chain of SMEs who are key to the success of the cyber security programmes of the primes, of the institutions and corporations - because they lack sometimes the vision, but more often the resources, to know how to find the right people, to develop them in their role, to mentor and support and progress them. So they advertise for people who can 'hit the ground running': well, I am a runner and I wrote a best selling book about it, and in my experience if you hit the ground running you are likely to fall over and injure yourself, so I don't recommend it.

So if we focus the issue down to where it arises - in the SME supply chain - then how can we address it? First, I would say the Cyber Leaders already are - they know, and they say more vociferously, that cyber recruitment is a people problem. I think - certainly from the pleasurable and insightful conversations I had with them at the Symposium - that they are happy to talk about it: understanding of the issue, and engagement with it, at the top of the SME is crucial and they can help with that. Maybe some have the resources to support their suppliers in improving it. I have a commercial idea to support this: but I don't run the family business any more, so watch this space in case I can convince the Boss...

I don't have a solution. But in my early days in this field some people started using the term 'Stupident' to refer to students - dismissive, rude, disrespectful gatekeeping. And though that term has thankfully fallen into deserved disuse, I think its sense persists - that students, new entrants, are somehow unskilled, unvalued, unworthy of consideration ... even for entry level posts ... undeserving of respect. And I can say, from my personal experience over nearly four decades of working with students and retrainees ... if we treat these people with respect .. treat them as people ... then we are more than halfway to resolving the 'people problem' we all face. Otherwise it's us who are the People Problem.



Comments

Post a Comment

Popular posts from this blog

Early Years

 I always wanted to be a teacher. Well, not quite: I wanted to be a superhero with a magic flying Rolls Royce Silver Phantom: then, briefly, during Apollo, an astronaut, and then an RAF fighter pilot but they wouldn't have me because my eyesight wasn't good enough so I transferred to the Flight Navigator program but they rejected me for having no personality or leadership qualities. But by the time I applied to University I wanted to be a teacher: to study physics so I could be a primary school teacher and teach physics - and maths - differently, as I, in my teenage arrogance, felt it should be taught. I've wondered since why I felt that way: what was wrong with maths and physics teaching, that I wanted to go to University to study and learn how to teach it better? Mr Wyatt started it: he was our primary school teacher and he went on a year's teacher exchange to Canada and when he came back he showed us how to make hot air ballons out of plastic bags and cotton wool and
Read more

Wave Watching

A few years back I found oceanographer Mirjam Gleesmer’s blog ‘Wave Watching’: https://mirjamglessmer.com/wave-watching/ which is just what it says: a fascinating and insightful blog about watching waves – and what we can learn from doing so, not only about waves but about what they traversed, reflected off, diffracted around, broke over… It spoke to me particularly because I was then watching waves almost obsessively: ripples on puddles, waves on our local lake, splashes from moorhens and coots and ducks on the canal; sea waves, coastal waves, every kind of wave. I wouldn’t quite say it risked losing me friends but people certainly got used to walking on and eventually looking back surprised to see me stopped staring at some interesting wave phenomenon. Although I became interested in those sorts of waves they weren’t the source of my interest: radio wave were. I’ve studied and worked with waves a lot: it’s a foundation topic in physics and electronics, and I’ve worked on soun
Read more

Bread and cocktails

A cocktail has as many calories as half a loaf of bread. This is the kind of statistic The Meejah love. How many calories are there in half a loaf of bread? What sized loaf? What kind of bread? What sort of cocktail? I am left bemused by this kind of statistic, which is almost but not quite totally devoid of meaning. It is what I would call a 'factoid': a fact that is at the same time surprising, seemingly dodgy, but probably - within its own logical scope - true in a sense. Actually it isn't a real factoid - a factoid is epitomised by my son James's factoids, which are totally true, quantitative, specific facts that are, however, surprising either in being contrary to what one expects or (better, for a good factoid..) just the sort of fact you never thought you would ever need to know or wish to know. James is, and always has been, good at factoids: a photographic memory combined with attention to what most of us ignore equips him to store factoids, and is
Read more