Uni degrees have nothing to do with cybersecurity innovation: Malwarebytes founder

Relying on universities to fill the cybersecurity skills gap will leave companies struggling to fill out their teams, the founder of a global endpoint-security company has warned as he considers new strategies to fill out staff for the company’s new Australian operation.

Although many in business have habitually turned to universities to design cybersecurity courses and deliver trained students ready for the workplace, Malwarebytes founder and CEO Marcin Kleczynski told CSO Australia that systemic weaknesses in academia meant that businesses needed to take a much broader approach to recruitment.

“We don’t hire the traditional [university] degrees or resumes” to fill the company’s R&D laboratories, he said. “A lot of people come by reputation: we look at these open sources projects, look at blog posts, and talk to researchers that are doing this altruistically and want to make a name for themselves. They are already driving innovation for free – and they just don’t have a vehicle to do so.”

Universities, by contrast, had failed to develop consistent training in cybersecurity and often told him they couldn’t even source appropriate lecturers for such courses – because all qualified candidates had opted for more-lucrative careers in private enterprise.

“If I only hired people with degrees in cybersecurity I don’t think we would have the staff,” Kleczynski said. “Many universities are keeping their heads in the sand, and not doing programs due to a lack of funding or professors. But how can they possibly churn out candidates that are ready for the workforce if there are no security programs?”

By one estimate, there will be 3.5m unfilled cybersecurity jobs by 2021. The lack of formal cybersecurity skills has dogged the Australian industry, with hands-on certifications pre-empting university training, changes to 457 visa rules further complicating the matter and many CISOs turning to automation to make up for the paucity of skilled engineers.

Industry body ISACA has tried its own approach to closing the gap, mapping out illustrative career roadmaps for cybersecurity professionals and launching its Cybersecurity Nexus (CSX) Practitioner Certification. Most recently, the firm offered its CISM and CRISC certifications online as self-paced review courses – helping broaden the options for an industry where, a recent ISACA survey found, 52 percent of businesses believe traditional cybersecurity training options leave staff moderately to not-at-all prepared.

The deficiency of university-trained cybersecurity experts has become bad enough that IBM recently released a list highlighting five “new collar” cybersecurity careers that don’t require a university degree. These include ethical hackers, threat monitoring analysts, cyber help desk analysts, technical writers, and security awareness trainers.

The need to adjust skills expectations has reinforced the value informal process that Kleczynski has taken since founding Malwarebytes in his parents’ garage in 2008. Just as his remediation-focused technology “was unlike any security tool built,” he said, he has built a corporate culture focused on results and innovation.

“I like to fail fast,” he explained, “and while I wouldn’t say we have perfected it, we have done a really good job at it. We’re trying to match the skill sets of these hackers: they’re not really criminals in the rudimentary sense, but they are people who are fascinated with the idea of getting into systems that are air-tight.”

Such people tend to make their own footprints online, but that hasn’t turned Kleczynski off the idea of working with universities to help them develop more industry-ready skills, more quickly. Just months after the company established its Australian presence, he is considering partnerships with the university sector to help harness “untapped potential” in this country.

“We haven’t really been able to grow here as quickly as I would like,” he said, noting that he was eager to grow the company’s six-strong local team and would consider suitable candidates no matter where they are based.

“The people we hire are passionate and knowledgeable about security,” he said. “We have technical people talking with customers on a daily basis, and their ability to feed back issues into the broader team, and R&D team, is unique from what I’ve seen so far. The more markets we’re in, the better outputs we can get.”