Supporting Future Leaders and Players in Cybersecurity

There is a significant shortfall in the number of cybersecurity practitioners required across the world, and specifically of concern to me, in Europe^[1]. It’s not merely numbers either – we need both greater numbers but also highly skilled and experienced practitioners. These do not grow on trees… they must be encouraged and nurtured, and I believe that it is encumbant upon those of us who have been around since before this profession even existed to actively support growing the numbers. We must not bemoan the shortfall without actually personally doing something about it. That means getting more people into the profession AND accelerating their acquisition of experience.

Knowledge vs Experience

I’m differentiating experience and knowledge here, because the difference is important. Knowledge is easy to acquire, experience less so. I sometimes use VCR technology to illustrate the difference. (Note to self: I should probably develop a newer analogy since Video Cassette Recorders are somewhat obsolete!)

There are two superficially similar ways to learn how to use VCR technology;

1. Learn how to use all the functions (play, fast-forward, rewind, pause, eject/insert tape, record, and schedule recordings) of a VCR
2. Learn how to use all the functions (play, fast-forward, rewind, pause, eject/insert tape, record, and schedule recordings) of VCRs

The difference is subtle. Both types of learning will result in a person competent to operate the VCR available today. But if that VCR is replaced with a different model from a different manufacturer, then learner type 1 is lost because their specific knowledge is out of date, but learner type 2 is better placed to cope – their knowledge of this VCR is out of date, but their experience of VCRs is not; they know that all these different functions can only work in certain ways, and their experience will allow them to adapt rapidly.

Experience comes with… well, experiences! However, it can be accelerated if those experiences can be shared and discussed with people who have vast amounts of experience. Specific problems and their specific solutions can this way be broadened through such interactions into more general classes of problem, more general classes of solution, and act like a force-multiplier for the acquisition of experience.

Addressing the shortfall

There are only really a few ways to reduce the shortfall.

1. Increase the number of young people embarking upon these career paths, and accelerate their experience where possible.
2. Increase the number of people transferring career paths, and help them to apply their existing skills & experience from other domains to this new one.
3. Don’t let the older practitioners retire! A leaky bucket fills quicker with most of its holes plugged…

That third item is not entirely in jest. And it does mean that the older practitioners in this relatively young profession may need to adjust to working with young whippersnappers by, for example, not calling them young whippersnappers but instead “future leaders in the profession”. We must not jealously hoard our experience; we must share it willingly where it can help. We must take active pride in the development of the younger & newer practitioners rather than feel threatened by them. The shortfall is so large that, whilst some will choose to retire, I strongly believe that there will be plenty of work left for those who choose not to.

It also means that these future leaders & players would be well-advised to not merely look upon us old dinosaurs as… well, old dinosaurs! Instead, look upon them as people who can accelerate your experience so that you can progress more rapidly than otherwise. As Nigel Tufnell puts it in the new Spinal Tap film “…standing on the shoulders of They Might Be Giants…”

I’ve been talking recently about the second item. Many people have transferrable skills, but may not realise it. Beckie McAnespie wrote recently about speaking at an outreach even for those leaving the armed forces. This is EXACTLY the sort of thing required. If just one person from a session like this moved into cybersecurity, then likely tens of thousands of hours of training over that person’s military career would still be put to use.

At BCC2025 I met people from a wide range of current careers moving, or contemplating moving, into the cybersecurity arena; lawyers, military, mathematicians, artists, musicians. If you think the last three sound odd or incongruous, then I’d recommend reading ”Gödel, Escher, Bach: An Eternal Golden Braid” by Douglas Hofstadter.

Greater movement between these professions (and others) and that of cybersecurity can infuse the cybersecurity profession with broader backgrounds and greater ranges of experience. Diversity is a strength; diversity of experience, of background, of thinking, of everything. Aside from greater strength through diversity, it’s a matter of numbers; we simply can’t afford to put off anyone by failing to make them feel welcome. If women feel the environment is unfriendly &/or intimidating then you’ve halved your talent pool right away. And the same hard fact calculations applies to pretty much all characteristics outside the set of {white | anglo-saxon | middle-class | christian | male | neurotypical | straight | binary}. We need a cybersecurity workforce of all the talents & types. From the hyperconcentration & hyperactivity of ADHDers, across the full range of neurodiversities. When we need to out-think adversaries, it’s no good if we all think the same. It’s not just that we need outside-the-box thinking, we need out-of-the-box, out-of-the-door, out-of-the-building, and zooming-the-team-along-the-autobahn-in-a-fast-car-before-the-adversaries-even-get-their-shoes-and-socks-on thinking.

And finally, the first item in the list means that we need to actively encourage young people into the profession. But it’s more than that; we need to support and encourage them once they are inside the tent, not just leave them to sink or swim alone.

The third day of BCC2025 is a slightly separate event, organised by ENISA (EU Agency for Cybersecurity). This year, it was all around the CRA (Cyber Resilience Act). If you’re in the UK, you’ve probably not heard of it. And if you sell software (or devices containing software) in the EU and you’ve still not heard of it… you’ve got problems heading your way. I’ll be writing some introductory articles soon about CRA for those in the UK, just FYI.

Meet Ion

On this third day, I met Ion Miron^[2], a student. Ion is from the Republic of Moldova, a small country sandwiched between România and Ukraine (which comes within about 100m of the Black Sea but has no territorial coastline!)

Using standard terminology (well, standard for me!) it has an area of  1.63 x Wales (Țara Galilor) and a population of 0.8 x Wales. But it is a country right on the front line of information warfare and under great threat from the full gamut of interference from Hostile State Actors (or maybe we should just call them Персонал враждебного государства “personal vrazhdebnogo gosudarstva” because… well, honestly, no real justification needed), and which has the complexities of the whole Transnistria situation too. Ion has got himself into university in București in neighbouring România to study Computer Science with the intention of a career in cybersecurity. And he has demonstrated both enthusiasm and initiative by getting himself along to the CRA part of BCC2025. Why? Curiosity – dangerous for cats, but vital for cybersecurity practitioners because asking the right questions is an art all by itself.

I think this will pay off for him; he has been able to meet and connect with lots of interesting (by which I really mean “weird & wonderful” 🤭) people in this somewhat convoluted world of cybersecurity. He has a small blog where he has written a little on various cybersecurity topics. And posts some very well composed photographs too. Remember what I said about artists, composers & mathematicians? Ion is quite likely to be a future leader in the cybersecurity field. I shall watch his progression with interest. (No pressure Ion!! 😁)

I would like to strongly encourage all of my experienced colleagues to consider what they might do to encourage, accelerate, or support younger people who choose cybersecurity, or those swiching career. Whether through formal or informal mentoring, or any other means. Be the change you wish to see in the world.

Footnotes

[1] Shortfall of Cybersecurity Staff as of around January 2025

• Tens of thousands in the UK.
• 300k – 500k in Europe (EU+EEA).
• 2.8 million worldwide

[2] Bonus points if you work out the origin of the hex digits in Ion’s LinkedIn URL