Even with 2018 being recognized as another year of the data breach, the cybersecurity field is still lacking in qualified candidates.

Why?

There has been plenty of coverage in the news about data breaches. I am sure by this point the vast majority of people have heard about the breaches of Target, Home Depot, and JPMorgan Chase.

According to Lysa Myers, security researcher at ESET, college students are simply not being told about a potential career in the cybersecurity field. “As far as careers go, I know when I started college it was the really, really early days of people using the Internet on a more common basis. Everyone really wasn’t using it until after I was out of college. So I would imagine there is more visibility into the possibility of a career like we are in, but I think it is still sort of a niche market.

I think when going out and talking with people, most people still don’t realize that this is actually a job.” We had the opportunity to speak with Myers about the unfilled cybersecurity positions, her journey into the field, and what needs to be done to inform people about a career in cybersecurity. Our edited conversation follows.

I know from several articles I have read that the FBI is constantly looking for new agents with a background in cybersecurity, but is having troubles finding qualified candidates. So is there a problem hiring qualified cybersecurity personnel?

Yeah, I would say that is definitely the case. It seems like it is a fairly complicated problem inasmuch as it is not just that there is an absence of people who are looking for those jobs. It’s an indication that there actually might be more graduates than are getting jobs.

The statistic I have seen is I think it is like twice as many people graduate with some sort of computer security degree and end up staying in some sort of technical field.

Why do you think that is?

I think there are a variety of situations. On the employer side, what they are looking for is fairly specific and the computer security trainees that are out there right now my not be up to that. They may be given something that is a lot more generic than what they are needing specifically. The positions I have seen by and large tend to be not junior-level positions.

There tends to be a lot more need for experienced practitioners than are floating around out there. That is part of the mishap.

Location is another one, because companies are located in specific areas, but the graduates might not be. They might not be willing to move. It seems like there might be the aspect of salaries for these positions don’t seem to be growing as much as the need would indicate. Does that make sense?

Oh yeah, absolutely.

When there is a need for something, companies would pay more and more for the right person, but that doesn’t seem to be happening.

When I graduated high school, the Internet was still pretty new. During high school, cybersecurity was never discussed. I grew up with the assumption that if I had antivirus software I was set. Education should focus more on this subject, but when do we start to teach about cybersecurity? 

They absolutely should start educating kids at middle school level at least on just good Internet hygiene. That definitely is not happening yet in most of the country. In most of the country, you can’t even apply any sort of computer science credits towards your graduation requirements.

That is starting to change, slowly but surely, but I was shocked to see that so little had changed since I was in high school 8000 years ago.

One thing that has baffled me is with all of the data breaches we have seen, people can’t see that there is really a lot of job security in the cybersecurity realm. When I talk with my family about my job, they don’t get how there is a need for it.

Yeah, I think a part of it is what is available in college. There are very few colleges that have a dedicated cybersecurity degree. If you don’t see that as a type of job track, why would anyone start to go down that road?

There are two things that come to mind.

There is a lot of training out there for people who are aware of it and interested in doing it on their own, and for a whole lot less money than going to college. For the people who are self-starters and willing to go the less traditional route, the options are definitely out there to get into the career pretty quickly.

My own hope and my own effort in articles I have written is just to make people aware that is out there. All of these things that took me forever to learn on the job are available to learn in a week for a few thousand bucks. That just blows me away.

Second, there is a sense in some circles that [cybersecurity] is something you just have a natural aptitude for or you don’t. Myself personally, my job before I started in security was a florist.

So it is not like I had a computer security degree or any particular aptitude.

That is quite a leap. I made a similar one as well [laughing].

It was. It was a very large leap. I did things very differently than my coworkers because they came from a more computer security background, but I still got the job done. In some cases I was able to do it faster because I was not doing it the more traditional way.

I think you could argue having a different perspective on a problem is a good thing. I feel that if you have too many people looking at something the same way something can be missed.

I am a big proponent of that. When I was helping to find new researchers, I would tend to look for the people who had skills other than technical ones because those can be learned.

There are softer skills like communication that may be a little more difficult if you are coming from a computer science background.

So you said that you are looking for qualified people to fill positions. So what are you looking for to consider someone qualified personnel?

The first position I filled was a triage position would be the best way to explain it.

We had a mailbox where all of our samples came in from customers, and you need to be able to prioritize things because not everything is going to be catastrophic. Some of them are going to be fairly simple, and some are going to need more information.

So you need someone who can get along with people and understand the technical stuff.

When I was looking for researchers, I was looking for someone who was willing to work very quickly.

The government has started to take an active interest in cybersecurity. One of the areas of interest is helping to hire qualified candidates for cybersecurity jobs. Even in the most recent State of the Union address, President Obama mentioned cybersecurity. Do you think that now that our government is paying more attention to cybersecurity that it will help spread the word about the profession and get more people hired?

I hope so.

With these things, it is always a little difficult to see how it is going to affect people. If it feels like you have to be a genius in these fields, people are going to shy away, women in particular. Right now we are not doing a lot to change that mindset that you have to have the natural aptitude to get into security.

I hope as it enters the vernacular and more people are talking about it that maybe it will feel more approachable to more people. That is the big hurdle we need to cross right now.

Let’s say you were at a job fair or a school trying to get people interested in cybersecurity. What would you say to get them interested in the profession or raise awareness?

I think a lot of people think this job involves staring at bytes all day, and that is really not all that it is. It is about helping people.

It is about making a difference in people’s safety.

You can do that through programming, talking to people, there is a whole variety of ways you can do that. It is not just staring at a screen all day. I think that would be what I am most adamant about. You don’t just sit in a cubicle all day. I get to travel all the time. I get to talk to people and meet people, and see what type of impact this is having on them.

It is an extremely satisfying job, much more than I ever would have thought.

It’s 2018. Do you have a cyber prediction along the lines of our topic?

My feeling is that with the way things are going right now, there is a lot more money going into it and a lot more awareness in general.

My hope is that at this time five years from now, there is going to be a lot more people who are going to fill those gaps that we have right now.

Anything else you would like to add before we wrap up the interview?

I heard somebody once say that they hoped that people would step outside of the security echo chamber, which tends to be a pretty insular community, to get into other areas like going to conferences for healthcare, communication, or finance.

I think that is sort of the other part for my prediction. I think there will be more niche security areas in five or ten years than there are now.