No cybersecurity without soldiers

No battle anywhere has ever been won without soldiers. The fantasy of wars won by drones, remotely controlled with a joystick in one hand and a telephone in the other, just doesn’t stand up against the reality on the field. At some point, there needs to be arms, legs and brains. When we think of this in terms of cyberwars, Western countries should be deeply concerned.

During a discussion with informed observers of the sector (engineering school directors and business unit managers), two figures emerged: France needs between 4,000 and 16,000 cybersecurity experts, depending on the metrics, while there are 400 graduates from all the schools in the country every year. However, they don’t all go into cybersecurity, nor do they all stay in France. At this rate, it will take between 10 and 40 years to meet the country’s needs.

This gap between the supply and demand for human skills can be explained, at least in part, by a number of factors, but few of them stand up to objective criticism. For instance, students’ disinterest in technical occupations, which are perceived as challenging. But then how do you explain the saturation of the first years of medical school, which are not particularly easy? Low pay? but not unlike many master’s-level courses… The fact that hackers earn far more than cyberdefence experts in companies? But then wouldn’t accountancy courses be abandoned in favour of a career as a bank robber?

The cybersecurity field will need to work on many aspects, especially the images of its professions. The issue of student conferences and fairs has already been addressed. To give credit where it is due, the visionary Michel Van Den Berghe (director of Cyber Campus) came up with the idea of a TV series, noting that « Le Bureau des légendes » had led to a surge in applications to the French intelligence agency DGSE.

Another idea: if the role of schools is to train future citizens, for how long can we say that these future citizens will have spent so many hours from primary to secondary school with so little awareness of cybersecurity? Not to mention post-secondary courses, few of which offer an awareness of cybersecurity in their curricula and which necessarily vary based on the target audience: medical students, technical college students, etc.

Another major potential source of talent is professional retraining. During my career, I have come across a hospital employee in charge of setting up all the routers and switches in a university hospital and whose only certified skills were a boiler-making qualification. There are a lot of potentially great cybersecurity experts out there, and an elite degree is only one way into the field.

The fixation on master’s degrees will have to be reconsidered. When entire cohorts of engineering school students are recruited by big private sector players who stick them in front of SOC screens for eight hours a day looking at curves and colour warnings, is it any wonder that they lose interest in the profession? There is certainly a shortage of engineers, but there is an even greater shortage of well-trained, well-supervised senior technicians who are supported in their professional development. As a former CEO of General Electric said, « the market is bigger than our dreams », and so are the opportunities for career changes.

But above all, it is concerning to see that around half of humanity is almost entirely absent from this exciting sector: women. This is an issue because it robs the sector of potential recruits. But it is also a problem because, as the saying goes, if all you have is a hammer, everything looks like a nail. If you put only men into a room, then they will have a cultural bias when analysing problems and choosing solutions, not to mention an unimaginable number of blind spots. Hence the importance of diversity.

Some occupations have a much greater number of women, such as quality controllers. And that’s great! We need quality controllers because processes like ISO are what structure cybersecurity. Cybersecurity often involves emergencies. And there are whole categories of medical professions who are used to dealing with them, such as nurses.

Cybersecurity is often a matter of communication. And there are entire cohorts of communication professionals who could teach a few things to the technical experts. Cybersecurity increasingly entails legalities. And there are many lawyers who would make excellent candidates.

We must admit that while, in 2023, the market is addressing cybersecurity through a surfeit of technology, it is in fact through human beings – and especially women – that we will get our heads above water. Because wars are lost for want of soldiers.