Seventy percent of organizations believe they are affected by a shortage of employees with cybersecurity skills, according to a survey conducted last year by the Information Systems Security Association and industry analysis firm Enterprise Strategy Group. Meanwhile, Cybersecurity Ventures, a research and market intelligence firm, estimated that there will be 3.5 million unfilled cybersecurity jobs by 2021. So it comes as no surprise that governments and companies are trying to think creatively about how to funnel more people into the field, with programs ranging from scholarships to puzzle-solving challenges to penetration testing competitions and capture-the-flag contests.
But while we undoubtedly need a variety of different strategies and approaches for recruiting in cybersecurity, given the growing demand, not every idea is a good one. In a report released this week, McAfee proposes a particularly insipid and unhelpful solution: Hire people who play video games to fill cybersecurity jobs.
The report, “Winning the Game,” has some worthwhile points to make about the value of game-like exercises and simulations for cybersecurity teams. But beyond highlighting that these types of activities contribute to employee satisfaction and preparedness, the McAfee report draws some unfounded and profoundly unhelpful conclusions on the basis of very scant evidence.
Most egregiously, the report suggests that hiring managers should turn to video gamers to fill cybersecurity roles. This recommendation is based on a survey of cybersecurity professionals, 45 percent of whom said they were frequent or experienced video gamers. Additionally, 92 percent of respondents told McAfee that they believed people who play video games had skills that made them suited to cybersecurity careers, and 75 percent of senior managers said they would consider hiring gamers who had no cybersecurity training or experience.
There’s something very backward about looking at a field with a serious diversity problem and deciding that the best way to grow it is to hire more people exactly like the ones who are already working in it. If we decide to recruit the cybersecurity workforce of the next decade by duplicating the people who are already working in the field and the things that hiring managers are already looking for, we will inevitably end up with a very homogenous pool of people who look an awful lot like the ones already in this space. Moreover, if the common wisdom among managers is that a certain group of people who resemble their other employees can or should be hired absent any relevant skills or experience—is that a belief that we necessarily want to encourage?
That’s not to say it’s a bad thing when security managers hire people with unconventional backgrounds: There’s a lot of value in recruiting people with diverse and varied experiences who look at security threats and problems in different ways. But if gamers are already so highly represented within the workforce, then focusing on recruiting them probably won’t lead to lots of surprising new ways of looking at things. It might actually be a better idea to recruit people who use computers in different ways from the current cybersecurity workforce—and therefore have different ideas about possible threats and risks. I’d be more excited about cybersecurity initiatives to hire more people who focus on technology designed for civil liberties or news media or users with disabilities.
Diversity issues aside, there are other problems with hailing gamers as the answer to the cybersecurity skills gap. McAfee hypothesizes that many of the skills that make people good gamers also make them good at cybersecurity. For instance, the report finds that survey respondents believe gamers will be well-suited for cybersecurity careers because they exhibit the following skills: logic, persistence, quick study, an understanding of how to approach adversaries, a fresh outlook from “traditional” cybersecurity hires, and a competitive edge. (Incidentally, only 5 percent of respondents said that gamers don’t have any skills that make them well-suited to working in cybersecurity.) But it’s not entirely clear to me that all of those skills are obviously tied to playing video games—since when did video games require a strong dose of logic as opposed to an ability to easily suspend reality and engage in fantastical scenarios? But even if they are, they’re certainly not unique to playing video games. We might just as well decide that the future cybersecurity workforce should be made up of lawyers, or soccer players, or toddlers. And while I’m all in favor of introducing new perspectives and voices in cybersecurity, I’m a little skeptical of glorifying inexperience and lack of training as a “fresh outlook.” You could even see it as a dig at “traditional” hires failed to put in adequate hours playing video games.
The kinds of cybersecurity jobs the authors of the McAfee report envision in the future are very much tailored to this adrenaline-fueled gaming population. The report encourages increased automation of the boring, routine cybersecurity tasks—such as monitoring network logs and policy enforcement—so workers can spend their time on “value-added and enjoyable tasks” such as threat-hunting and finding vulnerabilities. The report assumes, essentially, that the tasks that current cybersecurity employees most enjoy are the same ones that everyone else will want to do—an assumption that will probably prove true if we hire people whose background closely matches that of current employees! More insidiously, it assumes that those enjoyable security tasks are more important, more innovative, and add more value than the day-to-day work of monitoring an organization’s security logs or enforcing its information protection policies—two things that the report blithely asserts “can easily be automated.”
Clearly, we need to do a better job identifying the skills required to work in cybersecurity if we’re going to grow our workforce to meet demand. But shaping that growth based on who is already in the field, and what they do and don’t enjoy doing, is a mistake. Our goal for the next several years should be to bring in some people who don’t necessarily look exactly like the ones already working in cybersecurity, who have different interests, and enjoy doing different work tasks—and if they like to play video games, well, that’s fine. But let’s not rely too heavily on that as the deciding factor.