Why InfoSec needs rookies like us

so I just need to put the clicky in cuz I forgot thank you very very much for having me here my goodness really really really been it quite excited about today and if it wasn't for you guys and how supportive and everything that you have are to people like me coming into the industry that's just I wouldn't have been here so thank you again information security is an exciting and rapidly expanding industry and so I'm here to talk about and the way in for second needs rookies like us it's not going to work there we go I'm willing to bet that every one of you probably realized that getting into cybersecurity about round about now

means that we are more or less guaranteed lifetime job security according to John McAfee there are two job openings for every qualified candidate and I read somewhere just recently that within the UK and Ireland that statistic is three to one cybersecurity ventures predicts that there are or there will be 3.5 million unfilled cyber security positions globally by 2021 I should say that I am NOT a careers adviser or a recruiter so I'm not looking for someone who's got five years experience in technology that's when you've been around 24 months and I'm not looking for someone who has experienced working with gdpr for ten years so that you can hear me out I'm going to pluck out a few of the issues

that I do see I think that was one of them and I'm going to do my best to offer up some food for food-for-thought on on the subject but I want to start with a question that might Johnson from lift and asked his LinkedIn Network last week you may have actually seen it was a quite a popular post he asked with the growing amount of automation tools in our industry what do the new entry double entry low or jobs look like where and how do we get more people into security and increased skills as I said it was very popular popular post but I'm just going to pick out some of the things that I

some of the key takeaways I got from this a lot of people argued that despite increasing automation roots are unlikely to change that much sock will continue to be a popular way in and current IT roles can transition into security roles so a network engineer for example and will become a or could become a network security engineer and a software developer a aspect engineer some people argued that we need to take a less siloed approach and so every IT position is also a cybersecurity position every IT work or every every technology worker needs to be involved in protecting and defending apps data devices infrastructure and people I picked out these two sentences as well from

comments by Timothy share and and Fernando Soto and they say that we need to recognize that there isn't any one way to get into this field and to take a chance on those that want to and that curiosity is the main ingredient for a successful career in security I absolutely could not agree more but if Tim and Fernando are right then why do we insist on recruiting only technically competent and highly experienced people when in fact we need to bring in and a train up young in bright individuals who can also bring different skill sets walking the InfoSec floor yesterday it was obvious to me that our industry needs considerable help for marketing we need more diverse skills

of course we absolutely need people with technical competencies but we also need people who understand business people who can align security needs with their company's objectives and their industry needs there are others outside of the power bubble of this bubble who understand and care about how other business areas interacts with technology processes and policies according to burning glass positions calling for financial skills are the hardest to fill cybersecurity jobs or such security roles I should say there is a skills gap for workers who meet these hybrid requirements because finance so such as accounting or knowledge about specific regulations and IT skills are rarely trained for together and like me there are a number of people I can see a few here actually

who are working with information security who may not actually be from an IT background because I believe the reason I'm here is because I am able to apply and transfer Mike my commercial experience from before my communication skills my my soft skills if you want to call them that into this new and expanding market so we have a skills shortage but it's not necessarily or not only a cyber skills that we actually lack and we also have a gender diversity problem as well cyber security is an excellent example of profession that needs to address the gender gap globally men are four times more likely to hold to see in executive level positions and nine times more

likely to hold managerial positions than women are and because in case you haven't noticed there aren't that many of us here eleven only seven percent oh sorry eleven percent of positions are held by women and within Europe that number drops to seventh there is another problem as well the average age of information security profession is 42 the world needs more cybersecurity professionals but not enough young people are getting into the field in fact only 13% of us are aged between 30 and 34 and only four seven percent under the age of 29 so other than political and moral reasons there are other excellent arguments for diversity our own studies at culture show that the strongest

security cultures are not necessarily found within existing management or even the IT or security teams male-dominated groups of employees tend to have the have weaker security culture and display far riskier riskier behavior and then those groups were they were the gender balance

Prime and I and I drift a little bit because primarily our job as or our role as cybersecurity professionals are to find the ways to minimize risk to advise senior management on what we need to be able to better do that if cybersecurity is going to be a accepted and adopted and by the rest of our business as positively as other departments like sales marketing and payroll are then front we need to find more effective and better ways to communicate the business areas need to understand that done right security does not have to be a a hindrance or a hurdle in fact it is a business opportunity so stakeholder management is not only essential but it's a skill that is

seriously under recognized as vital within ninety and security the good news is that the second potential resource pool may already exist internally with well-developed communication skills specific industry knowledge and potentially business acumen people from sales marketing HR and just a few examples but these departments can bring qualities and skill sets that can complement those of the typical IT or security professional as well as improve age and gender diversity so my advice for recruiters and employers with many existing employee professionals being spoiled for choice when just when deciding to switch jobs how can we attract and retain stars we all need to feel valued and we need to know that a difference that we make through our work is being noticed and

appreciated so as salaries rise to attract new employees also ensure that existing employees receive matching financial compensation create a career advancement pass for qualified candidates and engage employees in decision-making I mentioned that we need to match job descriptions to the knowledge skills and abilities the role requires but a is e-squared study revealed that employees with higher levels of access to sponsorship felt the most valued in their organization those that have been mentored sponsored and offered participation in leadership development programs not only have higher levels of job satisfaction and they're also more likely to be successful so it's worth a thank you very much my mentors and their sponsors out there as well but another point is education so allow people to

take courses gain certifications and go to conferences just through 30 percent of employees employer sorry invest in their educational development by play by paying for on-the-job training the cyber security field is an evolving rapidly security workers need ongoing training to keep their skills up-to-date and relevant and let's be honest candidates are far more likely to stay in a job or get into a job with companies who are willing to invest in training in education and finally tap those underserved talent pools if if ploy employers are serious about increasing diversity they should be working on expanding the talent pipeline identify candidates from other fields who can quickly a dot adapt to the cybersecurity profession and step step

up recruitment efforts within demographics that traditionally have been underserved for this for our industry so Millennials and and women I'm thinking of right now but tapping into these cybernaut sizeable talent course could help reduce the skill shortage I'm running out of time but I was going to share lots of stats about how men and women actually are very very similar so they share the same workplace values priorities and aspirations and and a lot of their views about what they want from a job in our role are very very similar people who have been mentored sponsored and offered participation in leadership developments have a much higher level of job satisfaction so with with these with this in mind employers looking to

recruit cyber security workers needn't have a separate message for men and women since we want the same things but considering the under-representation of female workers in our field employers and recruiters should probably put some more effort into hiring women and making us all feel valued we need to do more to help elevate the priority of our industry and be better at selling the benefits of a career within information security this means that we need to extend our network and influence beyond this and it is incredibly warm and comfortable and tight-knit community but we need to we need to go out there a bit more and sell the benefits of our career in the short term employers can make progress by

adjusting our hiring expectations investing in education because these things help not only keep their skills up to date but they help us to feel motivated and curious and interested and engaged and of course finally we need to tap into those underserved Hana paws one other thought I'd like to leave you with and that is we need to look to companies who are adopting security culture as a business strategy and ask ourselves how can we replicate that success I said earlier that every technology worker needs to be involved in protecting and defending an organization but perhaps what I should have said is that every worker needs to be involved if we are to create a security culture where every worker is

responsible every worker needs to be involved and we need to open our doors to people from other fields thank you very much are there any questions okay you need to speak up I'm really hard of hearing [Music]

yes absolutely and I think that the fact that you're here at this this event today and that you I would imagine and you're talking to me and you're asking questions and you're getting involved by by by learning more about and building your network within its security it will help open up doors so we are as I said incredibly I have been so maybe I should have mentioned this before but I joined this industry less than eighteen months ago I've never worked an IT or security before and I have basically a sales and development or sorry business development or marketing background and I'm very I'm very very lucky that someone recognized that those skills were that were needed within within that

company and told me that told me that despite when I started getting nervous that despite the fact that I that I don't have the technical skills that a security person might might need don't worry about a ami we can we can I can I can teach this those skills but what you what we need you already have in abundance so someone like yourself if you can find someone that can recognize your skills and build that that network up and find yourself a mentor there are so many besides the fantastic place to define those people and to get that support and weighs in because it is absolutely possible thank you I think I just run out of time but if you would

like to like stay in touch or anything and my email male it's in and our company information is there about so we work with security culture thank you very much [Applause]