How to build useful security talent from the ground up...
...before it's too late
Do you know what you do for a living?
I don't mean what's your job title or the name of the department you work in.
Can you break down the work you do each day into its fundamental particles and describe where they actually came from?
It's a challenge that I feel we're facing every day in security, with a shrinking talent pool and an increasingly undefined career path along which we can try to guide youngsters entering the industry, if we want them to be really useful.
When I talk to architects - of one type or another all around the world - they've all been to college, studied a course and gained a comparable qualification. There are differences and specializations - of course - but there are also common threads that you can pull apart that distinguish the skillset that defines an architect and how you go about making a baby one.
They build buildings that do not (usually) just fall down.
I have no such sense of how you make a security “person” - see, I don't even know what to call it…
Security Engineer? No. That comes with way too much baggage, and pigeonholes the individual in a way that the term “architect” does not.
Security Consultant? God no!! What even is that??
The question occurs to me quite regularly. If I wanted to build another me from the ground up what would be the components I'd need to smash together if I wanted to get something useful out of the end?
A solid grounding in electronics. Not just theoretical stuff, and not just a college education. You need to have built stuff, got the solder burns, watched things go on fire, figured out why and fixed them. You’d need to have put things together that should have worked but didn't, and things that shouldn't have worked but somehow did…and you had to go work out why. When you've been doing this for long enough that you can make things with predictable outcomes more often than not, then you've made it.
A practical understanding of electrical installation. Electronics people often think they just sort of know this stuff but they don't. You need to have installed conduit, pulled cables, cut yourself, burned yourself, crushed various parts of yourself, and done it all in the rain, wind and snow enough to have sufficient respect for people who do it well in these conditions, so that you’ve earned the right to be able to criticize work that's done badly.
A good working knowledge of how computers work, along with professional level competency in at least one programming language. We live in an irretrievably digital world, and if you can't understand what holds that landscape together then you're in no position to anticipate where risks are going to emerge or manifest themselves today. You also cannot understand how any of the tools you're hoping to use in your job actually work…and what kind of fool doesn't know how their tools work?
You need to have lived somewhere for a significant amount of time where you were personally exposed to a significant amount of risk. This is a slightly controversial one, but honestly - if you lived your life in a place with no crime, a wealthy support mechanism that kept you away from criminals and never in a situation where temptation, opportunity or need to commit crime or defend yourself against it has never arisen, what - honestly - makes you think you're qualified to bring anything useful to the party? I don't mean to discriminate, but at the very least you need to have enough perspective to know your weaknesses.
If all of the above did not establish within you a basic enough understanding of physics to figure out fundamental blast, ballistics, physical security and HVM then you probably weren't paying attention, but hopefully you do get the point that electronics and software will only get you so far in this world.
With all of these fundaments in your back pocket I could probably do something with you. Of course you don't necessarily know anything about cameras or access control or cyber or encryption or what risk management actually looks like in the real world at this stage but at least we can have a conversation with some common language.
Spending time on site doing the things in that list is likely to expose you to some of the facts of life about security operations, but I would not take that for granted. I learned a lot from being on site but I don't really know how. Osmosis and self preservation, I guess.
I'd also guess that if you got through all of the above you have an inquisitive mindset, and that you aren't gullible enough to just take for granted what people say - either about their own security situation or about the products they are trying to sell you.
That's a big assumption that I can't guarantee. I'm inherently sceptical. That's not the same thing as being inherently cynical. I get cynics, but they're negative and will never create anything. I - on the other hand - am an inherently pragmatic but well informed sceptic. That's a very different thing to a raw cynic, the likes of whom I encounter all the time…irritatingly…
It's easy to pull something apart, but what's the point if you have no idea how to put it back together in a way that doesn't make it worse?
If you had been about a bit you might have also experienced the wonderful world of contracting, and are both able and willing to look after yourself while getting the job you've agreed to do done.
There are perhaps other routes to becoming a legitimate security person. I've seen a couple of them - although to be honest the end results have always amounted to the same thing. Dirty hands, technical competency and an appreciation of risk that didn't come from a book or the internet.
The problem is that I just don't see where the pipeline of people like this comes from any more. How are you going to jump the pay and reputation gaps that have established themselves between the streams? You can make okay money in the trades (and probably will for the foreseeable future if you're good), or you can make good money in the closeted life of the software-centric world, but where are the inflection points? There's not nearly enough money in physical security to make a career out of it , and not nearly enough hardship in the cyber-software world to make those people of any real use on the physical side.
Meanwhile the analysis folk popping out of college with more knowledge of statistics than you could ever need, will write a nice report but never touch a lock, a camera or a card reader in their lives. Not saying they're use-less but I am saying they're use-limited.
I'm skipping operational security personnel in this analysis, not because I don't feel they're important or a part of the mix, just because neither the PHYSEC community nor the CYBER community nor the INTEL community are ever going to be part of the PUNCH IN THE FACE community that make up a sizeable portion of that industry.
As I bang my head against the brick wall of convention trying to get people to adopt the potential of digital to help reduce the mundanity and irrelevance of dumping camera and door symbols onto 2D layouts, I wonder whether the opportunity to identify and nurture real security talent has been missed.
As we continue to dumb-down what we're able to offer based on the available expertise so that we can reach an hourly rate the market is willing to stomach, we cut off the real security career path at its knees, and actively promote a weird distopian future that's totally illprepard to counter real world threats from people with dirty hands and active imaginations.
It really concerns me that the needs of modern urban design are pushing the demand for tens of thousands of cameras per development, while the incessant pressure on cost has stripped the industry of systems integrators with the in-house capabilities to competently design, install and maintain them. I'm not saying there's nobody who can do it, but I am saying you're going to struggle to find options, and you do need to be careful about your choices.
Where is the experience and understanding of the technology if you're making those choices and haven't been to a few rodeos of your own?
Surely we're not left with nothing but ASIS? I've never found that route to be a very compelling option but what else is there if you can't stomach the hard work and years of commitment needed to build your skills from the rudiments?
Thank your lucky stars if you live in a part of the world where people still do engineering apprenticeships and your bicycle gets stolen now and then. Or will robots do those jobs in the future too?