Transforming Cybersecurity - How the next generation of security products should not require any IT knowledge

After working as a consultant and internally consulting in startups and large companies, the one issue I saw the most in information security is:

• The lack of companies hiring juniors.
• The lack of companies building useful security products for the mass.

Even though these two subjects are totally different, they go together. Let me explain.

Since the early 2000s, I've seen consulting and product companies deny hiring cybersecurity juniors. The "You need 5 years of experience to start working in security" mindset. On the other side, one of the main issues in security is the difficulty of having secure by default software and systems. The example I like to give is:

If you give 5 minutes to someone that never used a computer, can they set up a 2FA for their email by themselves without any help? 99.9% of the time the answer is... No!

To evolve as a secure society, with everything going on on the internet from breaches, attacks, DoS, fraud, state attacks, and more, we need everyone to be secure on the web. This helps secure the economy and secure our critical infrastructure.

But this is hard to achieve. Many organizations, cities, and governments do not have enough experienced people to build secure infrastructure, or do not have the time or the budget to do so. We've sadly seen too many municipalities with one person doing everything IT and security. They do what they can, but they can't do everything perfectly.

Doing everything perfectly is also complex. So many different systems to learn to use, deploy, implement, secure, operate, etc.

The issue: Most systems aren't secure by default and don't offer secure features by default. We've seen those pay to play 2FA or banks not even offering 2FA or good 2FA. See that list for Canadian banks.

So to go back to our juniors having difficulty finding a cybersecurity job... well we also need entrepreneurs!

The challenge?

Creating security features that can be easily included in products, software, or hardware, that require no security or minimal to no IT knowledge to use them. Those features should be implicit, by default, and plug and play.

We talked about 2FA that is hard for people with extensive IT knowledge. Now passkeys exist. They are much easier, solve the password issues, but still require the user to be OK with mobile or computer usage. At the same time, in today's age, should everyone know how to be a mobile or computer power user? That's a subject for another time.

How?

So how can we help our new generation of entrepreneurs invest time and build meaningful and innovative solutions?

Comment on the post with your ideas!

A few things we did with our community in the past few years:

• Start a cybersecurity startup showcase at our cybersecurity event..
• Ask startups to give prizes to our CTFs and events, usually access to their tools.
• Give discounted prices to startups for visibility in events.
• Give a small advantage to startups that want to give talks about their product, no sales pitch, just technical demos and how it works talks.

That's nice, it works, but it's not enough.

STOP!

We don’t lack ideas in cybersecurity. We lack people building and building the right thing.

And that’s not because security is too hard, it’s because we’ve made building security unattractive, risky, and inaccessible. We tell young people they are not senior enough, and older engineers that it’s too late to start. On top of that, we romanticize startups, unicorns, and VC money, while ignoring the fact that most real security problems are boring, local, and very real.

If we want more people, young and older, to build secure by default products that actually fix real-world issues, we need to change the narrative, incentives and lower the entry cost. People don’t start building because security is important, they start when there is a challenge and a clear problem, real users, and a realistic path to impact and income. Security education alone won’t do it. Ownership, responsibility, and trust do.

Some concrete things that might actually help:

• Fund problems, not pitches. Give money for prototypes solving real issues in cities, schools, SMBs. (I always loved Darpa initiative to pay for hackerspace and "basement" and education projects)
• Create fellowships or builder programs instead of pushing everyone to “do a startup”.
• Pair juniors with experienced practitioners who have seen real incidents, and train them (shadowing ftw!).
• Reward prevention and boring success, not just exploits, alerts, and clever attacks.

If we want a more secure society, we need to stop expecting everyone to become a security expert. We need to help builders create products where security is implicit, invisible, and just works. That won’t come from more talks or more fear. It will come from giving people permission, support, and real problems worth solving. And definitely... finance those approach!

Oh! And please, start hiring juniors and train them. We need more people in cybersecurity, so many articles and research say that, but there are mostly no jobs for juniors, making those “research” totally invalid when confronted with the market.

What do you think?