At Black Hat, Hottest Cyber Product Didn’t Have a Booth

Ah, Vegas in August. 100-degree heat, pool parties, and thousands upon thousands of hackers. Every summer the cybersecurity world takes over Sin City for a week. Black Hat, growing ever more corporate and responsible, is paid for on expense accounts. DEF CON? Well DEF CON is paid with cash at the door.

I spent a week out there meeting with new technology companies, talking to chief information security officers (CISOs) about their challenges, and getting schooled in the art of network forensics by the good folks who run Packet Detective. Looking back on the week, there was one dominant theme: the need for more skilled professionals in the field.

After a day of hearing pitches from startups I asked the CISO of a popular streaming service what he was shopping for. He answered in one word: “people.” He then asked me what I did and then just as quickly turned his attention on a security operations center analyst at a major credit card company (turns out cyber policy wonks are not in short supply).

The hottest party of the week wasn’t hosted by FireEye or Palo Alto Networks. It was hosted by Nike (see photo above). No, Nike isn’t slapping its famous swoosh on network security gear. If you want to get an idea of how desperate companies are, a maker of athletic apparel now throws parties at Mandalay Bay to recruit cyber talent.

It’s clearly a sellers market. Unfortunately, the market for talent doesn’t work the way that the market for firewalls works. More forensics experts cannot be rolled out of a cleanroom. Training takes time and money and in this field much of the learning is best done on the job.

Years ago, I wrote about one model for solving this problem: have the military train cyber skills and then push out the skills and experience to the private sector. It’s worked for the navy’s nuclear sector and civilian nuclear power and for military pilots and commercial aviation. As one senior official in the Pentagon recently pointed out to me, in 1939 the Army Air Corps had 22,000 members. Five years later the renamed Army Air Force had 2.4 million. DOD can scale.

Yet, at current numbers, the 6,000 cyber warriors Admiral Rogers is training for Cyber Command will be snapped up by the private sector as soon as their enlistment contracts are over without making a dent in the workforce demand.

Instead of looking to government, the cybersecurity industry should steal a page out of the casino industry playbook. If you’ve ever wondered how Mario Batali can open a new high-end Italian eatery in the middle of the Nevada desert without having to pluck his restaurant team out of midtown Manhattan, the answer is the Culinary Academy of Las Vegas.

Run in a unique partnership by the Culinary Workers Union with fees paid by the big Strip casinos, the Culinary Academy trains more than 3,000 workers a year to work as line cooks, bartenders, and servers at Las Vegas hotel restaurants. Graduates leave with the basic skills needed for entry-level positions, ready to gain new skills on the job and focused training down the road.

The most remarkable thing about the Culinary Academy is that it is free. The fees from the casinos not only cover classes but daycare and other side perks.  The do-it-yourself/phone-a-friend approach that most people in the cybersecurity industry used to gain their skill set clearly has reached its limits. Perhaps it is time for the many rivals hawking their wares on the floor of the Mandalay Bay Convention Center to band together and train the workforce so that there is someone to respond to the millions of alerts of malicious cyber activity their devices generate each day.