Solving the Cyber Security Hiring Crisis DHS and the Great Talent Search

Winn Schwartau

Tue, 16th October 2012

2012 November 19th: Update! We transcribed Winn’s presentation (see below)
2012 November 15th: Update! Blog post on Winn’s latest venture: Cyber Safety and Ethics and Stuff for K12 Kids onwards

We hope to have outlined the summary of Winn’s talk – if you feel otherwise please add your comments below. We are particularly interested to hear thoughts of information professionals whom might have experienced discrimination because they failed an interview personality criteria for example.

At no time in history has the United States had a greater need for cybersecurity experts to protect government networks, critical infrastructures and private sector enterprises from the global onslaught of organized cybercrime, nation states and terrorists. Winn is not known for his conventional wisdom, and many of his prior controversial commentaries have since become standard fare and dogma in the cyberwar and cybersecurity communities – but he does have a really good case about how HR departments in corporate America (and in government) are failing.

Winn believes that we need a complete top down rethink of how we choose security experts, how we manage them and how we view the skills sets needed to provide the best possible cyber defenses.

Winn says that Geeks do not (often) fit into the traditional mold that has been created by business and government – and he is absolutely right. In his presentation titled, “Solving the Cyber Security Hiring Crisis DHS and the Great Talent Search” Winn questions – “what is normal?” Point being that what is “normal” to an HR Professional is not normal to the security community.

Winn is absolutely right and this phenomenon must be a great frustration to many security professionals seeking employment – especially when their skills are highly advanced – and – in-demand!.

Education is of course important, but is an MBA or a BA in Computer Science an absolute requirement? The answer should be no. Sure, being a CompTIA Security + professional, having the CISSP designation or being a Certified Ethical Hacker demonstrates that the individual understands required skills sets but how much are these people are actually just studying to pass the exam?

Certifications are great but they should not to used as a check box for HR – especially for those for those that have not taken the same tests.

Solving the Cyber Security Hiring Crisis DHS and the Great Talent Search: Transcribed Presentation.

All people are not created equal. And hopefully the audience here knows that if you’re geeky, you’re a little bit different. That’s just part of the deal if you’re really, really good. And the better you are, probably the little bit more different you are. So what’s normal?

So way back with Richard Nixon and the suits, that was considered normal. “The Girl With The Dragon Tattoo,” skills up the ying yang. What’s normal and what’s acceptable inside of our world? So some people play the standard deviation thing. I can do all the math with you, but you have the median, you have averages, and you have the outliners on the side, and that’s typically where good geeks are, and the kind of people we need at networks and the nation.

First thing, we got to get over this education thing, get over these degrees. “You don’t have an MBA. You can’t work for us.” “If you don’t have a college degree you can work for us.” Highly discriminatory, especially in our field where geeks have a very, very special sense that have very little to do with Chaucerian English. It has nothing to do with it. Now, certification is another issue. Should you hire somebody that doesn’t have certifications? Well, ICS2 and CISCO and Microsoft, they’ve all got various levels of certification, but there are also tests, so it should be part of the equation. But my argument is: None of them should be exclusionary just for the sake of being exclusionary; and therefore, I would argue discriminatory.

We need to get down to the skills first. I’ve heard people say, “How do you judge skills, unless you have it on a piece of paper?” I say for those of you who’ve never been to DEFCON, or been to a geekfest, sit down with a geek. In about 30 seconds you find out if the guy is BS’ing you or not. Geeks can talent really quickly. 30 seconds, first level pass. Five minutes later okay. He knows his stuff; he doesn’t. He’s digging for an hour. Find out if he can really do it. Geeks can do the technical qualifications. Why are we letting HR go through a series of discriminatory tests on pieces of paper? We don’t change security history; meaning, we’re going to keep making the same mistakes over and over and over again. It will be an epic fail, because of the way we’re designing our mobile architectures. Same mistakes we made 35 years ago, same mistakes we’ve made 20 years ago and with every evolution of personal computing.

We need to get politically incorrect, because being nice is hurting us. Now, I’m not saying necessarily be rude; but if you’re a geek, there’s a form of rudeness. Geeks are kind of contentious. That’s how things get done. That’s how smart people learn from each other, by being contentious and by being politically incorrect. Being nice all the time doesn’t get the job done.

We got to quit teaching our kids that they’re something special. Yeah, “little Johnny is special”. But maybe he really sucks at soccer, and he’s really good at math. Or he’s really good at softball, but he’s really a lousy ballet dancer. These are acceptable things. We all have skill sets. We all have proclivities. We all have good, bad, and strengths. Let’s emphasize the strengths and quit trying to emphasize the failures.

But at the same time we need to teach failure. Failure is good. Failure is the necessary component of stress, and we’re afraid to do it for political correctness because of lawsuits. And teachers are not being able to do what they need to do in the educational world.

We need to be able to embrace autism. Recently, the Psychological Association of Psychologists whoever those guys are and they just created the autism Asperger spectrum, and it’s called the ADS, Autism Disorder spectrum, and they put Asperger on them. Good geeks have Asperger’s to some extent, whether it’s over here or over here somewhere on that spectrum all the way over to incommunicative. All good geeks have an aspect of this, and we need to be able to embrace all of those issues psychological differences between us, including ADD and ADHD. Because in order to do a good job in security, you’ve got to be able to focus. Some people hyperfocus to the exclusion of being socially acceptable. Fair enough. Those are back to the skill sets, not what the government is saying and corporations are saying, “You must have a degree and you must be able to fit into this box.”

We need to embrace these kinds of differences. Then they say, “Well, we can’t trust hackers.” Well, who can you trust? How do you go about determining who you can trust or not? Profiling. Absolutely profile people. It doesn’t mean color or whether you’re wearing a turbine or religion or sexual orientation. What it means is I care about one thing and one thing only. Are you being deceptive? Are you going to cheat me in the future? How do I determine this?

There are new studies out and new techniques out. Microexpressions will show deception very, very quickly. And I want to hire people that are not going to screw me over. Government, the same sort of thing. So the different kind of profiling here, is about behavior and deception, not about different profiling issues. However, we’ve done a great job of this, haven’t we? So the counter guy and CIA, these are the bad guys. So the counter guy, Robert Hanssen of the FBI, he was the bad guy. We had all the clues, yet we didn’t do the reprofiling as necessary, based upon lifestyle changes.

Government: we need to redefine clearances. This is absurd. You can’t have really good geeks work on network defense because they might end up with a piece of data that is considered cheap, except it’s really open source to everybody that can spell Linux. I don’t get it. We need to redefine clearances in such a way that will allow people, who you might not normally be able to give a clearance to for whatever your discriminatory practices are, and set a new set of standards or allow us to CND, Computer Network Defense, and CNA, Computer Network Attack.

When I was at DEFCON a friend of mine was looking for some really, really good geeks. And I introduced him to a friend over there, a really good geek. I put them together. They talked. And when he said, “What else have you got going against you?” He said, “I’m Canadian.” And we can’t hire Canadians in a lot of these situations, especially in the feds. The private sector is fine. But we need to get over it because we’re doing an awful lot of H1C work, yet we can’t bring Canadians in, or Brits in, or special partners into those things that are consider clearable or secret. Back to redefining clearances. There’s tons of capricious discriminations ageism, sexism, failing personality tests there’s this lawsuit going on from Target. This woman could not get a job at Target because she failed the personality test. How many of our geeky friends would fail the personality test? We don’t want their personalities, we want their skills. We have to get over some of these things very, very quickly.

We find every reason to say no. That’s what lawyers do. That’s what HR does. They find reasons to say no to cover their ass, just in case something goes wrong in the future. This is called “risk avoid”. We don’t need risk avoidance. We need to be able to defend our networks and defend our country. And all these reasons up here are reasons that current people are saying we’re not going to hire you for some reason. “You may have the greatest skills in the world, but we’re not hiring you for these discriminatory reasons.”

Nine to five, get over it. You cannot turn off creativity, and hyperfocus, and all these things turn it off at five. If the guy wants to come in and work for 49 hours straight or he wants to work on a beach in Malibu, I don’t care. Get the job done. Thank you very much. Now, corporate American government has to realize there’s competition for skills, not only locally with corporate America and around the world, but also from organized crime. Organized crime doesn’t care about your drug use. They don’t care about your hours. They don’t care about anything other than results.

Same thing with Nation States. They are doing the same thing, hiring people skills who are not hirable by our traditional, western, normal standards of corporate America and government. So we need to find the right stuff. We need to find a way. Instead of finding a way to avoid the problem, we need to embrace the problem. Recognize the skill sets are out there and that’s our cultures to those people who are going to be able to help us.

People who say it’s too hard, again, BS. We’ve done it. If we care, we will do it. And I have been all over the country and all over the world, and I get corporate HR, lawyers, and people saying the corporate structure won’t allow me. Fix it. Find a way around it. Because if it’s really important, you’re going to find a way. But currently, HR, and lawyers, and corporate culture is merely finding excuses.

So I think I got through that whole thing in 13 minutes. It’s normally an hour and a half. After this, let’s engage in some questions.

Questions and answers

Max, Concise Courses:
Hats off to you. I think it’s a concept that everyone can get behind. If anyone has some questions please submit them on the chat box. What skills are the DHS looking for right now? What are some of the hot areas regarding skill sets?

Let’s just say cybersecurity. Right now my understanding is and this is second hand information, and even if I could be an order of magnitude off, fair enough. They’re looking for 30,000 cybersecurity people with varying levels of skills. But keep in mind that cybersecurity is not, “I’m a cybersecurity expert; therefore, I know everything.” I might be a penetration guy. I might be a forensics guy, only on hard drive. I might know memory forensics very well. We have very, very vertically oriented skills these days. I may be really, really, super good at mobile. So there’s a complete spectrum of skill sets that they’re looking for, just as you would expect in our field.

Max, Concise Courses:
Process for applying to a DHS job: can you show us any sort of insight to what you would recommend a young, well not necessarily young, individual who’s interested in working in information security? What’s the process for them to look for these jobs?

Well, you go to the DHS website, there’s plenty of links. They’re all over the place. The links are there for job application, but the only think I would suggest, is go in with your eyes open. My son was part of an NSA recruitment with a couple of his buddies and this goes back five, six years and they were paying for college and doing all this other stuff. And less than a year into it, every kid quit the program; not because of the program itself, but because they were smart and they were doing some research and found out that once they left the program and went to work in those environments, they would have to completely readjust their lives to meet some artificial norm. So they all chose to quit. We’re losing a huge amount of people for this reason, so go in with your eyes open.

Max, Concise Courses:
Does the private sector experience still hold value? Would you suggest that anyone looking to work for the government have a couple years of private sector experience first or is that really not relevant if they have the skills?

All experience adds. You know, skill sets are great, but skill sets typically come from experience versus book learning. So you end up with the chicken and the egg scenario, and I would argue that folks that have some basic either self taught skills or some hands on skills in a non-formal environment, look for mentoring or entry level positions where they could then really hone their skills. Because you are looking and I’ll quote a friend of mine. He says five to seven years to become really good. I would say seven to ten years, as a generalist. You’re not an expert overnight. So, again, all experience is good.

Max, Concise Courses:
Sounds good. Now, we sort of touched on certifications. What qualifications would you advise security professionals to pursue? Are there any top tips there? Which are the most important ones?

Oh, boy. Again, you know, the first thing I would really suggest to anybody getting into the field, is to go off and study the history of this field. Look at what we have done for the last 40 years the good, the bad, and the ugly. And you’re not going to find it in a course that I’m aware of. Maybe they do have courses now. But there’s a long history of this field and especially I would focus on what we’ve done wrong. The reason I want to think of what we’ve done wrong is so we don’t make the same stupid mistakes again. The other thing is, that I’m a huge fan of when it comes to skill sets is an overarching strategic architectural view of enterprise and security.

Traditionally, we overlay security on top of enterprise or on top of IT or verses ingraining it in. But they’re still both architectural questions. So I would suggest looking at the big picture before you get overly granular. Some people criticize me that I don’t program anymore, how I haven’t programmed in over 30 years. But I understand the principals of programing. I used to do it. Do I need to be able to have that degree of granularity to be able to bring value to the party? No. I go for the big picture. Then I drive down and delve down into the details. Those would be the two take aways that I would suggest.

Max, Concise Courses:
Two more questions. Leon Panetta, are you finding him proactively encouraging improvement, or is he just talking about the problem?

I have no idea. I don’t follow politics and government, people to that level. He’s a politician, so I have no doubt he says we need help, like, “We need a lot of help, but we want you to fit into our mold,” which happens further down the chain.

Max, Concise Courses:
Last question. Talked about history. I fully agree with you. Are there any particular resources that you can share with the audience with regards to learning the backgrounds, getting into the history, trying to learn from past mistakes?

There was a really good book written in 1990 called, I think it’s called Risk. It was back in 1990. And I wrote three books on information warfare and going through the risk factors. The thing is, that back in those days in the late 80s and early 1990’s we were working at the generalist level. We didn’t have the technology, and were looking at things at a very high level view and we kind of lost that. I suggest looking at the original Orange Book, looking at the Bell of Podular Research from the late 1970s, that’s a formulization. Learn formalization of security. And then the next big step was in the late 1980s early 1990s as networking really took off. The first step was computers and networking. And I would start there to look at the problems that we face and the mistakes that we’ve made and all the technology’s that we chose not to use.

Max, Concise Courses:
Well, that was amazing. If I had three thumbs, I would stick all three of them up, but I only have two. That was a terrific presentation. Thank you very, very much, sir. I really appreciate all of your knowledge and insight. And this has been a terrific presentation. I’m sure it will be watched and rewatched many, many times. And I’d like to wish you all the success in the future and hopefully we can get you back on sometime very, very soon.

I’ll be down in Miami in a few weeks, maybe I’ll see you there.

Max, Concise Courses:
I’m looking forward to it. Thank you. Have a good rest of your day.