How "Break into Cyber!!!" will Break Cybersecurity

The trend of people looking to "Break into Cyber!" without an understanding of information technology fundamentals is a product of the hype surrounding cybersecurity today. The demand for workers is high, and for people with experience, the field pays well. This has created an atmosphere where there is a flood of new people into the field, because they hear the buzzwords, and hear that there is a staffing crisis, and naturally want to make money in a field that is projected to continue to grow.

People are flocking to the field from all walks of life, often with little or no experience in information technology. Those who are already established in the field sense that there is a lack of qualified professionals vs. demand, and are trying to solve the problem by making cybersecurity ultra-accessible: a thing-in-itself divorced from IT - "Break into cyber today and make loads of $$$! No pesky IT knowledge or experience required!" This approach is ultimately disingenuous, and enables the less scrupulous in our field to generate high cash flows by selling those looking to "break into cyber", much-abbreviated and superficial training. Just enough knowledge to clear the entry-level interview.

This approach, while driving new blood into the field in the short term, is already backfiring and will continue to do so in several ways:

1) While experienced individuals in security leadership can continue to demand high salaries in the market, entry-level salaries have collapsed due to an abundance of entry-level candidates vs. demand. I frequently see somber posts from those who rode into the entry level on the hype wave, complaining that either they've sent out hundreds of resumes and still haven't landed a position, or that they've been deceived by promises of riches, their entry level position in fact pays them peanuts, and that high salaries in cybersecurity are a myth.

2) The quality of cybersecurity work at the entry and mid levels is decreasing. Without an understanding of foundational IT concepts, workers are missing key indicators of compromise and overlooking key security gaps. This is enabling a drift towards "security on paper" which is disconnected from "security in the infrastructure", because there is a growing lack of technical acumen to properly guide technical implementations of security.

3) As this new generation of cybersecurity professionals matures, some will acquire the necessary IT knowledge on the job, but many will not. This, coupled with (2) will cause cybersecurity to further become self-referential, divorced from IT realities, and less useful to business. We will progress through the hype cycle deep into a trough where salaries across the experience spectrum will collapse, and many who entered the field with no prior IT knowledge will find themselves discarded by the industry, along with those who do have the technical knowledge and experience to enable solid security.

In my opinion, we must move away from the "Break into Cyber!" approach, and refocus those aspiring to enter the field on solid technology fundamentals. We should support those looking to enter the field, but advise that a minimum of IT experience is necessary first. Do helpdesk for a couple of years, maybe grow into a server or network admin, and THEN work at "breaking" into cybersecurity. I'm certain that some who are riding the hype wave will brand me a "gate-keeper" for expressing this view, but I stand by it. To drive the industry forward, we need to enable and grow technically-skilled security professionals, otherwise we risk finding ourselves, together with all the newly-minted security-folks, in the collective Trough of Disillusionment.