Security Operations, SOC, Security Staff Acquisition & Development, Training

Generational readiness, or lack thereof, in cybersecurity

Cloud native development. Programmer developing applications for cloud computing. Cloud icon and source code illustrations.

(Adobe Stock)

COMMENTARY: I am sure there are many talented, energetic, capable people coming into the American cybersecurity workforce today, ready to get started on the hard, often thankless work of cybersecurity operations and engineering. Dozens, even.

But, I’m worried about the readiness of the majority of the most likely-to-be-hired candidates, for two reasons.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

First, it has never been easier to cheat one’s way through a degree program. ChatGPT, Claude, Gemini, and Copilot have upended the way college and university students learn and demonstrate their learning. I don’t believe many leaning on large language models (LLMs) are pulling A averages, but they’re probably turning in solid B-level work with the help (or more properly, crutch) of a chatbot. Actually, learning and retaining the fundamentals is so easy to avoid, it’s like subscribing to a robot service to go to the gym for you, then wondering why you’re not seeing any sick gains.

Higher education is in a full panic, and some professors and administrators have landed on the worst possible solution: turning to LLMs to detect LLM-generated papers and projects. In effect, these institutions are converting classrooms into factories where the computers—not the students, not the faculty—are busily impressing each other with their third-person, passive-voiced, overly-generic lists of three things, while the humans escape the learning process entirely.

But that’s not the real reason I’m worried.

Related reading:

Even before the chatbots took over, I believe that the hiring practices for medium-to-large enterprises over-indexed on classroom degrees, certificates of dubious quality, and open-source code contributions. Of course, the desire for some kind of external, objective measure of capability is natural. But we, as a society, are unwilling to actually invest in this goal.

Unfortunately, cybersecurity came into prominence in a time in US history when unionization in all professions is at an all-time low, which means we’ve largely abandoned a crucial path for skilled trade success: apprenticeship. 

Instead, we’ve adopted a blend of college-level training and short-term internships, with a soupçon of voluntary certification tracks. And yet, the practice of day-to-day IT security is much more akin to electrical work, plumbing, or carpentry, all of which tend to require an apprenticeship for any real non-gig work.

There are elements of the job of cybersecurity that you simply cannot learn from books but must learn by doing. This feature alone is a hallmark of the kind of skilled trade that is best satisfied by apprenticing under the tutelage of a seasoned professional. Even the “highest” professions are like this; doctors must perform years of residency, and lawyers must pass the bar exam in the state they wish to practice. It should go without saying, MCATs and bar exams are not in the same league as CISSP or the CEH.

Apprenticeships tend to conclude with the capability of actually doing the job, end-to-end, not merely sample what the job is like. Some cybersecurity internships are difficult and fulfilling, but all are relatively short, in contrast to skilled trade apprenticeships that take years to complete. 

And, perhaps most importantly, apprenticeships are paid like a real job with real job protections, where internships range from unpaid to underpaid.

This last part is what is truly preventing employers from finding qualified, engaged individuals. If your hiring process requires people who can afford to spend hundreds of hours on unpaid open-source software, or an expensive degree, or an internship, you are necessarily cutting out a huge chunk of otherwise smart, passionate, and employable people. When one of your major indicators of hireability suddenly becomes suspect, as we’re seeing now on college and university campuses, you’ve got even worse odds of picking out the one fresh hire who didn’t cheat their way through the screening process.

We’ve never had a skill crisis in cybersecurity. Not really, anyway. After all, the first cybersecurity practitioners (who are mostly still alive) were self-taught, entering a wide-open field with virtually no oversight, and often only a half step removed from criminal practice. That’s not sustainable, or probably even desirable.

The solution we landed on of keeping the costs of learning the cybersecurity trade firmly fixed on the workforce, instead of assumed by the employers, has led to where we are today. And the cybersecurity degree programs on offer in colleges and universities are now in danger of being worse than worthless, but actively harmful.

I’m very worried about what common, trade-level cybersecurity will look like for the rest of this decade, as a fresh, deeply indebted workforce with practically no hands-on experience tries to replace the aging and retiring artisan class of just one generation before.

Tod Beardsley

Tod Beardsley is VP of Security Research at runZero, where he “kicks assets and fakes frames.” Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government. He’s also a founder and CNA point of contact for AHA!. He spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and hosted Rapid7’s Security Nation podcast with Jen Ellis. He is also a former Travis County Election Judge in Texas, and is currently an internationally-tolerated horror fiction expert.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Blue TeamCold Warm Hot Disaster Recovery SiteCountermeasureCronDaemonDisaster Recovery Plan (DRP)

You can skip this ad in 5 seconds