Undervaluation of Writing
I almost agreed with everything Ben Tomhave stated about the Undervaluation of Writing (skills for information security professionals). For context, a for-profit technical school removed the essay writing requirements that he contributed to the curriculum. He closed with the following:
Being able to effectively communicate ideas in writing is vitally important, not just to infosec professionals, but to humanity as a whole. Programs that undervalue and deemphasize these types of skills are dangerous in that they output students who are simply not adequately prepared for the modern work environment.
As I read the post I was conscious of the economic forces conspiring against Mr. Tomhave, but my sympathy with his position did not turn until I finished his closing statements. Instead of seeing the undervaluation of writing as a risk and waste, I now see an opportunity to refactor.
Technical Talent Scarcity
The current practice of information security management is still as much art as science. An organization's culture and internal politics matter as much or more to the security bottom line than the technical know-how of its security team. We need exceptionally talented security professionals who possess both the soft and technical skills required to manage these organizational politics and influence positive security outcomes. Most technical schools do not produce such talent; most universities don't either. To understand why, we need to consider the market and look at the economic drivers.
Supply and Demand
Demand for qualified security professionals has exceeded supply for the last decade. If security professionals only required the soft skills, then we would have simply recruited bright salesmen and underemployed English majors and the demand would have been satisfied. But a used care salesman isn't going to know how to secure an enterprise even if she manages to convince the CEO to prioritize security spending. Instead, the talent shortage has been predominately about the lack of security-specific training and education. In response, a number of boutique security training organizations were the first to fill the void. Universities began developing curriculum as well, but these programs take a while to get going and even longer to produce their first graduates. This is the exact kind of opportunity for which the for-profit technical schools look.
As the only profit-seeking entities responsible to public shareholders in a crowding market, these technical schools are motivated to produce graduates quickly and inexpensively. This means that they teach the required security skills and nothing else. If the soft skills really are required for these graduates to be successful, the technical schools have three options. They can (1) increase the admission criteria, (2) build them into their curricula, or (3) let the students pursue them on their own. Primarily competing with community colleges for their students, the first option would increase recruiting costs and the disrupted supply would reduce output. The second option, to teach the skills, would result in decreased production capacity and increased incremental production costs. The third option has no adverse impact on profit, which makes it the rational choice for the for-profit technical schools.
Quality and Skill
From one perspective, the output of the technical schools are of low-quality. I use the term quality in the sense that the output of these schools are low-quality versions of the highly-skilled information security professionals that are in demand. And when it comes to the mainstream institutions of higher education, high-quality and high-skill-capable is the most we can expect out of their graduates. The only significant source of talent that is of both high quality and high skill are those individuals that are already practicing and able to evidence their competence through the strength of their achievements (this last bit about evaluating competence was mentioned in my previous post and is going to be handled in a future essay). We have to figure out how to get more value from the existing supply -- no other source will provide enough.
Refactoring
Where then, might you ask, is the value of training people to use vulnerability scanning tools when they are not even able to communicate above a high school level? If we refactor our operational processes and security operations centers in such a way as to create a first level role that can be successfully performed by the graduates from these technical schools, then that can free up our top talent to spend more time on our most important issues. And with more precise job descriptions (requirements), the technical schools should be able to provide us with high-quality, low-skilled workers. To be clear, the vast majority of these individuals are not our future high-quality, high-skilled security thought leaders -- the measures of quality for a low-skilled job are not the same as those for a high-skilled job. Important quality measures at this level would be more attention to detail and a clean background check than they would presentation skills and creativity.
In a future post I want to explore this idea further. Consider the evolution of the PC support technician over the last twenty years and you can see that a similar transition, enabled by ITIL processed and smarter operating systems and hardware, has already occurred. What do we spend time on today that could be performed well enough by someone less qualified if they had the right processes and newer technology?
