Cybersecurity Talent Challenges: The Lost Summer Project
In our Zoom for Thought on October 6th, 2020, UCD Discovery Director Professor Patricia Maguire spoke to Owen O’Connor, a Director of Information Security at Salesforce, about “Cyber Security Talent Challenges - The Lost Summer Project”. In case you missed it, here are our Top Takeaway Thoughts.
The Lost Summer Project
O’Connor initiated this online bootcamp to address the shortage of cybersecurity internships on offer because of Covid-19. Internships are “one of our best pathways into the field” but “a lot of companies paused their internship programmes or postponed them or downsized them”. The Lost Summer Project was “a community effort” involving volunteers training and mentoring people online instead.
Cyber security challenges have reached a point where it’s “very clear that we can’t just solve them with technical solutions”. Participants in The Lost Summer Project came from diverse fields - commerce, general business, criminology - “and we need all of those skills, insights and ideas coming into security if we’re going to make progress. It’s part of our maturing as a discipline and as a profession over the years that we have started looking for insights and expertise outside of just technical functions”.
Hiring cybersecurity talent is “more difficult than it is in other disciplines” partly because of “a filtering process at the outset”. There is no clear educational credential that guarantees an interview, so it is “a much higher volume process”. Cybersecurity is also “very hot and high profile and that drives huge numbers of applications and winnowing out the fewer higher quality folks from that is a pretty time consuming process”. The traditional path tends to be a computer science degree with a one-year masters in cybersecurity or some direct experience. But O’Connor is “fairly strongly of the opinion that there shouldn’t be a default path”. The field should be “more open to people from less obvious paths” because “security problems can’t be solved by security people alone”. He is now on a research programme in UCD Smurfit Business School “looking at some of the management and business challenges in cybersecurity, specifically how we manage talent”.
The cybersecurity industry knows how to produce and recognise technical knowledge and expertise in its employees. “We’re much less strong as a discipline and as a profession on how we manage it, how we resource it, how we measure impact over time. I think that’s where a lot of interesting, high impact work will happen in the next couple of years.” This is why O’Connor advocates for opening the industry to more diverse talent. He recommends that non-computer science people who are interested in cybersecurity should try and get into the field via their current place of work. “Just say you’re working in the HR department of a big company and they have security challenges - that kind of internal lateral move. Even if the first role you get is not perfect, doing it within your current company is one good path”.
A discipline within security called threat modelling looks at the question of what information potential hackers might be after. “It depends on who you are. If I am the CEO of a large Irish public company what hackers want about me and my business is different to what hackers want from a Prime Minister of a country in Asia.” Their nefarious motivations vary “from month to month” but in general criminals are looking for “what can sell, what they can make money from”.
This article was brought to you by UCD Institute for Discovery - fuelling interdisciplinary research collaborations.