Top 10 Under 40: Michael Spaling, Team lead, information security, office of the CISO, University of Alberta

What do you enjoy most about your security role?

I enjoy many things, but two stick out. The first is the constant reminder about how much knowledge is out there. The security industry is vast, and I try to learn from people who know far more about a topic than I do. The second is the opportunity to teach security to many students. Some of them have never encountered security before, and once they’ve taken a course on it, they decide it’s something they want to pursue full-time.

How has the industry changed since you became a security professional, and what further changes would you like to see?

During my time in the industry, I’ve seen security become less of a technology problem to be solved by system administrators and more of a business problem that everyone plays a role in solving. Security is no longer what the security team does but something of which all groups are now a part. I want to see this trend continue and more teams learn their specific role and why it’s essential.

Outside of professional training, what has helped you the most in terms of skills development?

I have had many fantastic mentors throughout my career. These mentors taught me important aspects of success, such as how to do certain things the right way, navigate organizational politics and deal with conflict. Given our industry’s stress, they have also been accommodating with time off and relaxation. Most importantly, they have spoken openly and honestly about their successes and failures. All of these skills have proven to be incredibly valuable.

How can the security industry encourage more participation and market itself as a viable and thriving career?

The industry needs to be better at lowering the barriers to entry. For example, many post-secondary cybersecurity programs require a multi-year technical diploma in IT or a four-year undergraduate degree. These prerequisites make it incredibly difficult for someone out of high school or looking to change careers to enroll directly in accredited cybersecurity programs. Ironically, the individuals creating the courses or advising on their content may not have those prerequisites either.

Likewise, cybersecurity certifications may cost thousands of dollars and are generally out of reach for younger individuals. We would reach a much broader and diverse audience if we started offering affordable, entry-level cybersecurity programs containing foundation technology courses. As for cybersecurity as a career, it’s the perfect mix of specialization, highly in demand and can be applied anywhere in the world.