The seventh year of SC Congress NY kicked off on Tuesday with a panel titled, "Hiring the Unhireable versus STEM Education," that examined the prejudices preventing qualified people from gaining employment in the security space.
"It's a battle for talent," said panelist Winn Schwartau, an author and security visionary. "If we don't hire people with talent, they'll migrate to the dark side."
The problem, he said, is that HR departments are stuck with legacy attitudes. Arbitrary discriminators are preventing hiring of the talented, he said. There should be less emphasis on degrees and a return to fundamentals. That includes, he emphasized, the hiring of qualified people who might not fit the profile of the traditional candidate.
The struggle, he said, is to see beyond personality limitations that in the old days were a red flag for the hiring office. Certainly we need more women in the security field, Schwartau told the packed auditorium. He also advocated for the hiring of people with autism.
"They have tech skills that are being overlooked," he said. "They might lack desired personality traits so won't get past HR."
He also pointed out discrimination against seniors, saying it's foolish to devalue the contributions these skilled and knowledgeable professionals bring to the workplace, adding that the workplace would be better off becoming more flexible to accommodate geeks who work on their own time sets, rather than the rigid nine to five standard.
As well, he called it a moral imperative to bring wounded warriors into the field, those men and women who have already proven themselves heroes.
Robert Clark, a cyber law attorney at the Army Cyber Institute, U.S. Military Academy, added that hackers too should be a priority for private enterprises, acknowledging that the standards the government imposes would be too daunting.
"The FBI doesn't hire pot smokers," he said. "There's a lot less regulation in the private sector."
To fill the dire need for qualified pros, both men called for a loosening of traditional prejudices against everything from long hair and gender to personality and academic credentials.
It's also essential to start educating children as early as possible, Schwartau said.
"The government is broken. We can't look there for leadership," he said.
But, Clark added, we need to get that education correct. The emphasis should be on combining cybersecurity skills with aspects of the incident response process, he said.
The problem is exacerbated with a lack of awareness.
"I'm not seeing anyone from the government advocating via PSAs to educate moms, dads and kids," Schwartau said.
"We profile, we have predilections," he said. But, should this have any bearing on assessing a person's abilities, he asked. The answer was a firm, "No."
"We need to remove artificial barriers we're currently employing," he said.
Additionally, Clark said it was necessary that the CISO advocate against the CEO in bringing in someone with a piercing, for example. It's the culture now, he said, but we need the skill sets someone who doesn't fit the traditional model can bring.
The consensus was that for both the government and private sector, we need to enhance our education for the long term and not just think about the short term, as is embedded in corporate culture. "It's a matter of national security," Clark said. "China doesn't think about profit for the quarter. It's got long-range goals."