The Cybersecurity Paradox: Why Free Costs Too Much

Well, well, well. Look what the cat dragged in from cyberspace. The cybersecurity industry is pulling off a magic trick that would make Houdini proud: simultaneously inflating consultant rates and flooding the market with wide-eyed newbies. A paradox wrapped in an enigma, served with a side of irony. You’d think this would be cause for celebration but hold your horses. This little circus act might just be setting us up for a spectacular face-plant, reminiscent of the outsourcing fiasco that keeps IT veterans up at night. So, let’s peel back the curtain on this digital drama and see if we can’t spot the sleight of hand before it’s too late. The cybersecurity community once prided itself on a sense of camaraderie and shared purpose. However, this spirit has been eroded by a race to the bottom in terms of pricing and perceived value. By offering free or extremely low-cost training and services, the industry inadvertently sends a message that these skills and efforts have little intrinsic worth.

The rise of influencer culture in cybersecurity

The devaluation of cybersecurity expertise is further exacerbated by the rise of the “influencer culture” within the industry. In recent years, there’s been a surge of individuals focusing on building their personal brand and becoming influencers in the cybersecurity space. While some of these voices provide valuable insights, the field has become saturated with people eager to share their thoughts, regardless of their actual expertise or experience.

This proliferation of self-proclaimed experts has led to an overwhelming amount of noise in the cybersecurity information landscape (See Alyssa Miller‘s article on “Infosec Rockstars vs Influencers”). Social media platforms and online forums are awash with advice, tips, and “training” of varying quality. Unfortunately, quantity often drowns out quality, making it difficult for learners to discern valuable information from mere speculation or oversimplified explanations.

The abundance of free or low-cost content creates a false perception that high-quality cybersecurity education should be easily accessible and inexpensive. As a result, reputable training providers like SANS Institute, CISA (Cybersecurity and Infrastructure Security Agency), and Cybrary, which offer comprehensive, vetted, and up-to-date courses, are often perceived as prohibitively expensive.

The reality is that developing and maintaining high-quality, current cybersecurity training requires significant resources and expertise. However, many aspiring cybersecurity professionals, faced with course fees running into thousands of dollars, opt for the more affordable or free alternatives. This choice, while understandable from a financial perspective, often leads to gaps in knowledge and skills that can have serious consequences in real-world cybersecurity scenarios.

This trend creates a vicious cycle. As more people turn to free or cheap resources, there’s less financial support for high-quality training programs. This could potentially lead to a decline in the overall quality of cybersecurity education, just when the need for skilled professionals is at its highest.

Moreover, the focus on personal branding and influencer status can divert attention from the core mission of cybersecurity: protecting systems, data, and people. When the goal becomes amassing followers rather than developing deep expertise, the industry as a whole suffers.

Outsourcing Boomerang: History’s Tech Lesson Ignored

The situation eerily echoes a famous quote from the reimagined Battlestar Galactica series: “All of this has happened before. All of this will happen again.” Indeed, we’ve seen similar patterns play out in other tech sectors, most notably in the outsourcing boom of the early 2000s.

During that period, many American companies rushed to outsource software development to countries like India, attracted by significantly lower labor costs. While this strategy seemed economically sound in the short term, it had far-reaching consequences for the U.S. tech industry – read this research article “Impact of Offshore Outsourcing of IT Services on the US Economy” by Kalyan Chakraborty and William Remington for more detail:

Job Offshoring: A substantial number of U.S. service industry jobs, particularly in IT, were moved abroad. By 2015, it was estimated that 3.4 million U.S. service industry jobs would be offshored. This shift was driven by the cost savings associated with outsourcing, which allowed companies to lower software and service prices, increase productivity, and invest in new technologies and business ideas.

By offshoring entry-level positions, American companies inadvertently created a gap in their domestic talent pipeline. Fresh graduates found it increasingly difficult to gain the necessary experience to progress in their careers. Fast forward 15 years, and the U.S. now faces a shortage of experienced senior developers and technical managers – professionals who would have cut their teeth on those entry-level jobs a decade and a half ago.

Ironically, the outsourcing tide is now turning against early adopters like India. As companies seek ever-cheaper labor sources or turn to automation, Indian tech workers find themselves facing the same challenges that their American counterparts did years ago.

The parallels to the current state of cybersecurity are clear and concerning. By undervaluing the human element in cybersecurity – whether through free training, rock-bottom service pricing, or over-reliance on AI – we risk creating a similar talent gap in this critical field.

The cybersecurity industry must learn from these historical lessons. While innovation and cost-efficiency are important, they shouldn’t come at the expense of nurturing human talent and expertise. The complex, ever-evolving nature of cyber threats requires a workforce that is not only skilled but also continually developing and adapting.

As we move forward, it’s crucial to strike a balance between leveraging new technologies and valuing human expertise. Only by recognizing and appropriately compensating the skills and efforts of cybersecurity professionals can we ensure a robust, effective defense against future digital threats.

The cyclical nature of these industry trends serves as a reminder that short-term gains often lead to long-term challenges. As we navigate the future of cybersecurity, let’s strive to break this cycle and build a sustainable model that values both innovation and human expertise.

Summary

The cybersecurity industry faces a critical challenge: the devaluation of expertise and services, fueled by free but often subpar training and an oversaturated information landscape. This trend, reminiscent of past outsourcing mistakes, threatens to undermine the field’s effectiveness against evolving digital threats. To safeguard the future of cybersecurity, stakeholders must:

Recognize the true value of expert knowledge and quality training

Critically evaluate information sources and invest in reputable education

Prioritize building a skilled workforce over personal brand promotion

By addressing these key issues, the industry can maintain its integrity, improve its talent pool, and enhance its capacity to protect our digital infrastructure in an increasingly complex threat landscape.

Credits

I’d like to acknowledge an ongoing discussion between the founders of ThreatGEN and myself about how free training and low costs services are destroying cybersecurity. Clint Bodungen, Aaron Shbeeb, and Matthew Anderson have felt this firsthand. Jeff Whitney and Gary Leibowitz as board members are helping to combat this prevailing “free mentality “.

I’d also like to acknowledge my best friend Patrick Anderson who is experiencing this from another perspective – the IT outsourcing process and implementation. Patrick and I along with Eddie Tipton were partners in Systems Evolution Incorporated in the early years 1999 through 2003, and we were part of onshore outsourcing with the likes of EDS, Accenture, and other large consulting firms. Later in the evolution of Systems Evolution (at that point, a publicly traded company), we acquired Duration Software, which was the largest custom software developer for the state of Texas. Chris Montgomery, Rich Steinle, Frank Prevatt, and Scott Friesen among others understand the later stages of outsourcing as we were competing with the offshore wave.

Lastly, I disclose that I used Anthropic’s Claude to polish my thoughts as well as Perplexity’s search engine for references that underscore my thoughts.

Here is a link to the original article on LinkedIn.