It's Time to Break the 'Rule of Steve'

Discussions about recruitment trends and how people can further their careers in cybersecurity are common topics at industry conferences these days. Recently, at Black Hat Europe, one of the most striking career discussions revolved around audience demographics, which reminded me of a point I'd heard earlier in the week: the "Rule of Steve," a concept originally introduced by Dawn-Marie Hutchinson, chief information security officer for pharmaceuticals and R&D at GSK.

This rule is easy enough to explain: In a room full of cybersecurity professionals, there are usually more people called Steve than there are females. Yes, this is a tongue-in-cheek observation, but it illustrates how far our industry has to go in encouraging not only women but other diverse groups into the workforce.

The security industry needs more people. Globally, (ISC)² estimates the workforce shortage to be over 4 million. That's a lot of people, with the biggest shortage of around 2.6 million reported in Asia-Pacific. The shortfall in North America stands around 560,000, in Latin America around 600,000, and in Europe just shy of 300,000.

It is time to think beyond the usual confines of building a specialized workforce. Often, roles are advertised requiring a master's degree in information security or a Certified Information Systems Security Professional (CISSP) or Certified Ethical Hacker (CEH) qualification. Without doubt, these qualifications are highly valued and sought after, but they probably can only cover a very small percentage of the 4 million workforce shortage — not to mention that individuals with these qualifications are likely already working in the industry anyway.

To build the workforce we need to encourage diversity. We need more women. We need more ethnic diversity. We need more neurodiversity. We need more men. We need more people from a whole range of "groups" who have the right aptitude and attitude to work in information and cybersecurity.

Does everyone who works in the industry need to be technical? No! Here's an example. Business information security officers (BISO) need to be able to speak to the business and speak to the IT and information security functions. They do not need to be able to trace alerts through a SOC to identify potential security incidents and breaches. So instead of looking for a BISO with a Certified Information Security Manager (CISM) qualification, which arguably is the closest professional qualification for a BISO, the net should be spread wider.

For example, don't limit potential candidates to the around 27,000 people with CISM (according to ISACA). Rather, look within the organization for individuals who are perhaps security ambassadors or champions, or others who have expressed an interest to join the group. Even if there are no direct expressions of interest then start with "lunch and learn" sessions to stimulate interest. Don't be dry — make it exciting — and in this way organizations can start to build the next generation of security professionals.

Does everyone who works in the industry need to be in an office? No to this question, too. Remote working significantly expands the pool of candidates, which in turn brings access to better and diverse resource groups. A disparate and global workforce thinks more broadly, has different ideas, and can drive faster business outcomes than centrally located groups.

Some people in the industry do need to be technical, shown again at Black Hat Europe, and finding people with the right technical skills and expertise is also a challenge. However, at the event there was a cohort of technical people — DBAs, for example — who were desperate to make their way in the world of cybersecurity but couldn't find an opening because they didn't have the CISSP qualification. Is the industry limiting itself to that extent? According to (ISC)² there were fewer than 140,000 CISSP qualified individuals globally at the end of May 2019. Surely, we can see a way to bring in these individuals with an aptitude for technology and an enthusiasm for security, and train them into the roles so desperately needed?

There are initiatives around the globe, such as Vietnam's Project DARE (Data Analytics Raising Employment) developing workplace-ready competencies for employers. The US National Institute of Standards and Technology (NIST) Cybersecurity Framework is fast becoming a globally recognized approach for cybersecurity and is being used to develop employee competencies. Look for these in your country or region and take advantage of them — they are there to help build the security workforce.

Many of the people I spoke with at Black Hat Europe were not called Steve and would make fantastic additions to the global information security workforce. It's time to break the "Rule of Steve" and think outside the box.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"