First principles thinking and how the PLG approach can help solve the talent shortage in cybersecurity
Applying systems thinking to the nebulous problem of “cybersecurity talent shortage” and using PLG to help overcome the problem
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
The importance of first principles thinking
I have been seeing more and more discussions of the so-called “talent shortage in cybersecurity” which has only gotten worse in recent months. Every time I see an article about it, I sense a mild to high feeling of despair about the problem and everything that’s wrong with the industry.
As a big believer in the power of first principles thinking (often referred to as systems thinking or thinking from the fundamentals), I wanted to share some thoughts about the cybersecurity talent shortage and what I think we can do about it.
For those new to the term, I highly recommend this article: First Principles: The Building Blocks of True Knowledge. Tl;dr — First-principles thinking is a way to disassemble complex problems into basic, fundamental elements they are comprised of and then analyze each of these components to address the complexity. While this may sound like an obvious explanation, in our day-to-day we see more of what’s called “reason by analogy” — i.e., “this is what worked there, so we should just apply it here”. This is, in my opinion, what contributes to overly simplistic claims that “doing this one thing will solve a problem”.
Talent development funnel: a bird’s eye view
How do people make career choices? How does someone end up becoming a cybersecurity professional? If we take the process and break it down into the fundamentals, it will look something like a funnel which includes the steps below:
Awareness: “I know cybersecurity is one of the career paths available to people”
Consideration: “I wonder if cybersecurity could be something I would be interested in doing?”
Decision: “I would like to work in cybersecurity”
Preparation: “I need to do what is required to become a security professional — learn, meet people, develop necessary skills, etc.”
Job Hunt: “I am now ready to get the job in the field”
Career Progression: “I am deepening my knowledge, skills, and experience about the new areas, approaches, tools, and methodologies aligned with my career goals”
This is an oversimplified view but it can be successfully visualized as the funnel. There are people aware of the industry who have never developed an interest in it. There are those interested who don’t consider it as a viable career option they can pursue. Some would like to work in cybersecurity but don’t take any actions to make it happen, or those who try hard, take courses and bootcamps and end up having to take a job in a different field after a fruitless pursuit of the entry-level cybersecurity jobs. This can go on and on; the important part is that there are fewer and fewer people moving to the next stage.
Solving the cybersecurity talent gap should be simple
The beauty of taking systems thinking approach in thinking is that it removes the chaotic opinions and offers a clear way to assess, and subsequently solve the problem.
Since talent development is a funnel, solving the cybersecurity talent gap essentially means optimizing the funnel, by taking each step separately, assessing what could be hard about it, and increasing the number of people who can move to the next step.
By identifying the problems at each step in the flow and tackling them one by one, we can solve the nebulous problem of “cybersecurity talent shortage”.
As math shows us below, changes at the top of the funnel are as impactful as changes at the bottom of the funnel. In practical terms, having 20% more people decide to pursue a career in cybersecurity is equally as impactful on the number of professionals as having 20% more people hired by the companies. This also makes intuitive sense.
How PLG enables more people to become employment-ready
At this point, you are probably wondering: “What does PLG have to do with any of this?”. I am glad you asked but before diving in, let’s cover the basics.
PLG: the basics
“For those new to the term, product-led growth (often abbreviated as PLG) is a company mindset in a broad sense and a go-to-market strategy that defines a product as the main vehicle for business growth. Unlike the traditional, sales-led approach where the goal is to “close the deal” (get the customer to buy/upgrade the product by taking them through different stages of the sales cycle), PLG involves giving customers the ability to solve their problems and get as much value as possible, at every interaction with the product. They get so much value that upgrading to a higher tier becomes a no-brainer.”
Source: Venture in Security
PLG: helping people to build careers in cybersecurity
Cybersecurity education today covers a lot of the fundamental theoretical and practical skills that a person needs to find a job after graduation.
One of the biggest gaps concerns access to tooling. An aspiring security professional needs experience working with endpoint detection & response (EDR), network detection and response (NDR), cloud security, software security, log monitoring, and many other technologies that have become ubiquitous across companies of all sizes. The problem is that the vast majority of the tools in the industry are not easily accessible. Unless you contact the sales team for a quote and can prove that you are an established business able to meet a fairly large number of endpoints, good luck getting access to some of the most commonly used tools.
While there are almost always accessible open-source equivalents of the commercial products, when you are a fresh graduate looking for a job in the incredibly competitive industry, it helps to have had experience with the exact tool the company is using (or an equivalent commercial offering).
With access to security tooling being so restrictive, it is no wonder that so many aspiring security professionals are stuck in the catch-22: they cannot accumulate the experience required to get the job because to access the tooling and get that experience, they need to already be employed.
With their transparent pricing and a freemium or free trial components, product-led cybersecurity companies make it easier for aspiring and junior security professionals to learn and progress in their careers. When combined with open-source products into a powerful home lab, they become a training ground that helps security professionals do what they can do best — sharpen their skills to build a stronger security posture for their organizations.
A list of accessible product-led cybersecurity tools
There are over 150 cybersecurity products that can be described as product-led, many of which are easily accessible for those looking to build their careers in the industry.
Closing Notes
Any problem can be best solved if approached from the first principles perspective. Solving the cybersecurity talent gap is possible if each of the components contributing to this gap is addressed systemically. There are no shortcuts. This post addresses one small component of the problem — access to tooling. There are tens more that need to be addressed, and the best way to do it, in my opinion, is by breaking down the problem to the fundamentals and tackling the factors that contribute to it.
As a product leader, I have a strong conviction that vendors are to a degree responsible for, and have the power to help solve the cybersecurity talent gap. We need less gated, secretive products that are only accessible to a limited number of professionals. There is little point to require a job candidate to have “1–2 years of experience using tool X” if there is no way they can ever get access to that tool on their own.
Open source is great, but security vendors should now do their part. The more people can learn how to use the tools they need to succeed, the fewer issues companies will have when looking for job-ready entry-level professionals. While PLG is not a magic wand, it has the potential to help solve the problem.