Chapter 0

1. Why Are We Losing the Cybersecurity War?

Knowing is not enough, we must apply. Willing is not enough, we must do.

—Bruce Lee

Did you know you have to complete 1,500 hours of training to be certified to cut hair in the state of Arkansas? (I grew up from ages 12 to 18 in Clarksville, Arkansas, so I tend to use it as a point of reference.) That’s roughly 37.5 weeks of dedicated training before you’re let loose on the general public. If you want to cut hair in Arkansas, you’ve got to be passionate about it.

Cybersecurity experts on the other hand, the people who protect all your sensitive information (medical records, credit card information, Social Security number, etc.), can pass a test tomorrow and get hired the day after. No regulations mean no proper training is required. Score 70 percent or higher on a fifty-question cybersecurity quiz and you’ll receive your certification. You’re free to start work the same day, as many employers are eager to hire certified personnel.

Doesn’t this seem a bit backward?

Don’t get me wrong, I never want to get a bad haircut, but if something were to go awry, if my stylist were to accidentally give me a buzz cut or a mullet, that would be a lot easier to deal with than someone stealing my Social Security number or medical records. The fact that it’s significantly easier to get certified to protect my sensitive data than it is to cut my hair underlies the problems we’ve seen in recent years in cybersecurity. Let’s explore the causes.

Cybersecurity Certifications—Paper Tigers

Many people in cybersecurity think we are losing the cybersecurity war because of a lack of certified talent. They think we don’t have people smart enough to combat these cybercriminals and that we as an industry need to pay more to attract the top talent away from our competitors. They think that’s the only way we’re going to win. They believe people are the problem, because they believe there aren’t enough who are qualified. They’re referring to the quantity of qualified candidates.

It’s the quality of the candidates that’s the problem, though. The current certification process itself has led to a shortage of qualified talent. Unlike Arkansas’s beauty industry, many cybersecurity certifications are especially easy to earn. Being “certified” in cybersecurity has become something of a joke among industry leaders because anyone with an internet connection can search the web for the fifty-question, multiple-choice test and memorize the answers. Once they pass, they can quite easily get hired as an analyst or get a job protecting your data.

However, as soon as the job really gets intense, they prove they don’t have the skills needed to safeguard against cybercriminals. I can’t tell you how many times I have hired someone who looks really great on paper—has all the industry accreditations and certifications—but then looks like a deer in headlights when faced with a real problem. I call these types of cybersecurity professionals “paper tigers”—all growl and no teeth—and I try to avoid hiring them at all costs. The bar is dangerously low for cybersecurity certifications and often puts emphasis on skills that don’t really matter. Plus, the tests are typically based on theory rather than application. You often need to temporarily suspend your view of reality and drink the cybersecurity Kool-Aid before taking certain certification exams.

And the problem perpetuates itself. You hire unqualified people; then, when the people who have passed these certifications get promoted into management positions and have hiring responsibilities, they tend to hire people who have passed the same certifications. They don’t want to hire someone they think might be smarter than them—remember, they want to be the smartest person in the room. If they hire someone who has real-life experience, rather than a certification, their own lack of knowledge and skills may be exposed. The so-called talent shortage exists because our technical hiring managers aren’t hiring qualified candidates.

I used to work with a really smart guy named Doug, and I noticed he tended to hire only people who were not an intellectual threat to him. As a result, his team continued to downgrade with each new hire, and consequently, his results suffered.

When I hired a CTO over Doug, it was the beginning of the end. Doug’s insecurities took over because he saw the CTO as a threat. We were in business to help people secure highly sensitive data, but Doug was more concerned about someone in the company knowing more about cybersecurity than he did. However, Doug couldn’t take it, and he didn’t last long at the company after that.

You can cheat and cut corners to get a cybersecurity certification. Most certifications don’t equate to quality talent. There are exceptions, and some certifications really do help qualify cybersecurity professionals. The majority, however, don’t.

I have more than twenty-five certifications. Given my experience with them, I know firsthand that most don’t single out quality talent like they claim to. Some certifications are great, but they simply aren’t the panacea everyone is after. Hiring someone with a bunch of certifications doesn’t mean you’re hiring someone who is actually qualified to secure your data.

The alternative to certifications isn’t much better, however.

Four-Year College Degrees

If you’re thinking we can easily solve this problem and hire quality talent by requiring four-year degrees, forget it. We’ve tried that, and in my opinion, requiring a college education is the other reason why we’re in this talent shortage predicament in the first place.

By requiring a four-year degree to work in cybersecurity, the qualified candidate pool instantly shrinks. There will naturally be less talent to choose from. Moreover, the four-year college model (like the current certifications model) has its own foundational challenges. The field changes faster than textbooks (and lesson plans) can be updated; how can we expect professors to keep up with the cybercriminals at that pace? Plus, there simply aren’t enough qualified cybersecurity university professors with real-world experience. Most understand only theory, so that’s what they teach. It doesn’t matter if theory is different than reality.

There are two distinct categories of universities. Traditional universities are research-driven, and this extends to their teaching methods. Universities of applied sciences on the other hand are more practice-oriented with the goal of educating students for professional work life. Universities of applied sciences are a little bit better than traditional universities (and their degrees more relevant to cybersecurity) but not by much. Neither adequately prepares its students for a real-life career in cybersecurity.

For two years, I was a cybersecurity professor at a university of applied sciences in St. Louis and taught a master’s-level ethical hacking class, but instead of creating lesson plans and using textbooks similar to those my colleagues were using, my lesson plans were based on real scenarios. At first, I was excited about my new gig, but it quickly soured when nearly half the students began complaining about their assignments.

They said the class was too hard for them.

Here I was, trying to teach my students advanced cybersecurity techniques, but it was clear they didn’t want to work hard to learn the skills they needed to succeed in the industry. (What would someone with nearly thirty years of experience working in the field know anyway?) They wanted the academic cybersecurity degree, but they weren’t passionate about cybersecurity in practice—or their ideas about cybersecurity were far removed from the reality I know. If they had been passionate, they would have dug their heels in to figure out the assignments and pass the class. In person, I have trained more than ten thousand students in cybersecurity and leadership, and it seemed to me that the majority of this group was only in it for the money a career in cybersecurity would bring them.

So I took a step back to evaluate the system as a whole. It wasn’t just the students or this university in particular; it was all universities peddling the same business model—get enough people through the program and entice employers by telling them the graduates have the skills they...