Here at RSA, an increasing amount of security purchases are made by those who got the task dumped in their laps, but who have little or no formal or practical training. When under-informed CMOs start making IT security purchases, there’s a serious technical gap typically. Accordingly, companies here at RSA hire something akin to carnival barkers to harangue showgoers into accepting what seems like security, but which they are uniquely unqualified to assess.

This is likely due to the widening chasm between available security-focused IT practitioners in the marketplace and the smaller number actually available (a gap that is widening each month as growth outpaces the skills to keep it all safe).

These are both the fault of the IT crowd among us, who have less-than-stellar bedside manners and excessive introverted tendencies, and aren’t eager to overshare their knowledge to assist the C-suite. Call it job security, or just bad people skills: IT security folks typically aren’t the bearers of actionable intel that the C-level execs know how to use to affect the bottom line.

On the other end of the scale is the MBA C-level exec who got thrown in as the figurehead for the organization’s security space. Someone had to do it. Now they have to source some security gear and hopefully get it deployed. Given that the security gear may not even be on premises anyway if it’s deployed in the mythical cloud thing, and that vendors tend to offer the promise of “set it and forget it”, these widening gaps start to make sense.

To address this gap, we tend to focus a lot here on education, focusing on reaching less IT-aware pools from which to draw than the stereotypical hacker-to-be-in-the-torn-hoodie-in-his-mom’s-basement crowd. How can we engage more people from non-traditional groups? We need to do more outreach and work on engaging them, getting the light to click on where security feels like something they can do and that actually makes sense.

We’re big fans of various efforts to help spread that word, and very happy other organizations are trying, as we are, to do the same. But I’m not confident we can keep up, despite our best efforts.

I get it that we’re trying to build robots and machine-learning to take care of some of the heavy lifting, but that’s neither perfect nor a cure-all. There will still need to be people who train the robots to know about latest threats and remediation methods that aren’t worse than the thing they’re attempting to solve. That last part is non-trivial.

The security industry needs to do more to help the C-suite get it. They’re not as stupid as some IT security practitioners suppose; they just have different imperatives driving decisions, like, keep the doors open on the organization by selling stuff that pays your salary. If we can help them understand quickly (hopefully without deep-dive explanations at every turn), the whole ecosystem will be better.

The C-suite will start to ask better questions of the vendors, and get better and more precise, meaningful responses. In the same way that for machine learning, asking bad questions will result in bad answers good inputs will give us better answers. We need to teach folks how to ask better questions if we are going to win the war and keep everyone safe in the digital world.