It’s common to hear that it’s hard to get into cybersecurity, and that this is a problem. That seems to be true, but it’s informative to ask a simple follow-up:
The current cybersecurity jobs gap sits at around 2.7 million people.
A problem for who?
I think what we’re facing is an instance of the Two-Worlds Problem that’s now everywhere in US society. It’s where the vast majority of people are feeling pain from an issue, but there’s an elite that lives in a reality where the problem doesn’t exist.
We’re living in two different worlds.
Is parenting getting more difficult? Ask your nannies to spend more time with them.
Are groceries more expensive? Have your assistant shop at both Whole Foods and Trader Joe’s.
Is gas expensive? That’s why we’re a Tesla family.
It’s the same for security hiring. For MANGA and Unicorn companies—henceforth known as Mangacorns—hiring cybersecurity talent is a nanny browsing Whole Foods with a Platinum Amex.
They get the best of the best. The best candidates, from the best schools, as well as named talent from throughout the industry. And when these fresh college graduates ask for over 200K in base salary, and the named talent asks for over a million in total comp, they plop down the Mangacorn Amex.
At Mangacorn recruiting, most of their days involve the logistics of ‘giant garbage trucks of cash’.
So, for them, everything is fine. Cybersecurity skills shortage? Never heard of it. Everyone wants to work here and they love what we pay!
That’s one world, and just like the parents with nannies and the families with Teslas and shopping assistants, they have a real hard time understanding complaints about gas and grocery prices. The problem is everywhere and everyone else. So in other words, the other 95%.
For everyone else there are problems on both the hiring side and on the getting-hired side. It’s both hard for companies to find qualified people, and it’s hard for early-career applicants to get taken seriously enough to get their first shot.
One can absolutely argue that it isn’t Mangacorn’s responsibility to fix this, but that’s the problem isn’t it? That’s the difference between a healthy society and an unhealthy society. In the unhealthy one, you hear people say a lot that it’s not their responsibility, and in the healthy one people find things that are not their responsibility and they make it so.
From the title you might be thinking I’m down on Capitalism and I’m about to go all Marx you. Nope. I think Capitalism is still—by far—the best of our bad options for managing such things. The problem is the above: responsibility. Or more specifically, in a world where there’s a thriving 5% at the top of any system, who’s going to take responsibility for the other 95%?
If you ask any French cybersecurity recruiter in 1799 they’ll tell you it’s the 5%’s problem as well.
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
The natural move there is to say the government, but that only seems to work when everyone agrees on the matter—including the 5%. That’s why the Viking countries thrive with a blend of capitalism and government: their 5% have taken responsibility for their 95%.
We need to frame this as responsibility instead of blame.
So, yeah, back to security. In the US we have a lack of someone taking responsibility for building a cybersecurity pipeline. We have a happy 5% in the Mangacorns, and we have a struggling 95% in most SME businesses and startups.
Fairness is not the default state of nature; it’s something you have to struggle to maintain. The default state is a system of have, have-less’s, and have-nots. And the Mangacorns didn’t create this broken system we have now; they’re just benefitting from what came naturally.
But it is time to start blaming them for benefiting from it without doing something about it.
If you want to be the Finland of cybersecurity jobs, the Mangacorns have to take responsibility for the other 95%.
What that means tactically is up for debate, but it starts with the 5% taking responsibility and investing in the pipelines. Maybe that involves some government. Maybe it involves the universities and junior colleges. Maybe it involves big training companies like SANS. And it’s probably all of the above. My friend Jason Haddix and I talk a lot about what this might look like, and he’s doing a series of talks about it as well.
We’re both happy to take any ideas you may have on that front, and to work actively on practical solutions.
TL;DR: If you ever find something that’s broken for most of society, and you wonder why it is broken, ask yourself if it’s still working for the top 5% and whether that 5% has taken responsibility for the success for the other 95%. If not, there’s your answer.