I routinely speak with business leaders and senior cyber professionals about the next generation of cyber warriors and what skills they will need to succeed. Ironically, most forward-looking professionals are not focusing on the technical prowess and skills of the future workforce; instead, their emphasis invariably settles on or around Critical Thinking. Critical thinking, and what is required to cultivate this habit, can be hard to define. At its most basic, critical thinking is the ability to analyze, synthesize, and evaluate information in an objective fashion in order to reach a conclusion. Via critical thinking, we can conceptualize solutions to truly vexing problems and circumstances. In a world where data and/or information is at one’s fingertips, the need for critical thinkers is at a premium; we need to sort through mounds of chaff as we try to ascertain where the relevant golden kernels are…and in most cases, the kernels and chaff look almost identical.
So, where does one gain critical thinking skills? It is well known that educators cannot create critical thinkers by merely delivering lectures in classrooms; rather, they must embrace tools like problem-based learning in order to stimulate analytical thinking in our students. This isn’t new, and most learning environments, from the K-12 to the University, are adopting this approach. Good news! That said, we mustn't forget that enhancing critical thinking abilities requires exposure to concepts and ideas outside of one’s primary area of expertise. This is particularly true of technology and security professionals. What this means is that while technology and security trade-offs may seem black and white when confined to technological considerations, factoring in relevant intangibles may lead to more appropriate and more effective solutions. Figuring out those relevant intangibles will require you to think outside of the traditional boundaries of tech disciplines and consider such ‘wild cards’ as human behavior (psychology), what is happening in the world right now (political science, economics, and sociology), and what the past has taught us (history).
One example of the challenges of thinking only from a technological basis concerns the implementation of email encryption software such as PGP. In the seminal paper "Why Johnny Can't Encrypt," the authors showed that great technology failed to be effective because its creators did not adequately factor in usability issues. Specifically:
Only 33% of users were able to properly sign and encrypt an email…in 90 minutes
25% of users accidentally sent their secret email in the clear
In a follow-up study done 8 years later, these problems persisted despite upgrades to the software.
It would be a fallacy to believe that the designers of PGP were inept; rather, the problem was their frame of reference as it pertains to usability. Specifically, how do you make your tool intuitive enough so that a non-technologist – whose priorities are not security-based – can, and wants to, use this tool properly every time? This, at its most fundamental, is a critical thinking problem; had the software designers been able to objectively account for their environment and their customer base, we might have seen more broad-based adoption of PGP as an email encryption standard.
What should be particularly disturbing to cyber professionals about this example is that many of today’s cybersecurity entry pathways are so myopically focused on technical skills that they actually limit the candidate’s critical-thinking ability. Sure, these programs use some problem-based learning in the classroom; but, what about the study of other, obvious, factors such as risk management, organizational culture (inside the org) and global culture (outside the org), human behavior and human-computer interaction, business/economic priorities, and communication/leadership/management? Many cyber degrees and/or training programs have sacrificed even a basic focus on topics such as communication skills – topics for which there are no defined algorithms or easy ways to quantify ‘success’ – in favor of the immediacy and tangibility of certifications. Further, many technical programs are not only reemphasizing reality-based learning over theory, but also eschewing theoretical concepts altogether. If we don’t understand the hows and whys of things (i.e., theory), we may be hamstrung in our ability to look at a new problem and properly diagnose the root cause or propose a viable solution. Remember: the security problems we are trying to solve rarely have answers on Google.
Despite the importance of technical skills, critical thinking skills remain of preeminent importance to business leaders. As the CEO of a security services firm once said to me, “Give me people who can think critically and solve problems, and I can teach them the technology.” In today’s cyber environment, it’s crucial that we foster critical thinking skills as much if not more than technical skills. By definition, this means taking students out of their technologically-only comfort zones and continuing to expose them to problems for which there is not a single, obvious ‘right’ answer. We need to encourage students and employees alike to dig into, and understand how to apply, the perspectives and styles of thinking from disciplines outside of tech disciplines.
We, as cyber professionals, are at a moment in history where training programs – including 2- and 4-year colleges, certification programs, and bootcamps – want to produce graduates that represent and embody what the industry needs. It is up to us to clearly articulate the importance of critical-thinking in our workforce, and then to “put our money where our mouths are” by actually hiring the folks produced by these programs.
My two cents...