Writing in 1776, in the first chapter of the Wealth of Nations, economist Adam Smith identified the primary driver of progress as “the effects of the division of labour.” Smith’s Wealth of Nations still generates furious debate today – particularly around the “invisible hand” of capitalism. But on the division of labour, it is hard to argue.
Smith’s example was the eighteenth century pin factory, where “One man draws out the wire, another straights it, a third cuts it, a fourth points it, a fifth grinds it at the top for receiving the head … and the important business of making a pin is, in this manner, divided into about eighteen distinct operations, which … are all performed by distinct hands”.
Today’s workplace is rather different from a pin factory, but we still depend on the division of labour for efficiency. In a startup the same individual may develop the product, sell it and manage the suppliers. In a large corporate, what we lose in agility we gain in efficiency: we do not expect salespeople to clean the carpets; we do not expect finance departments to draft press releases; we do not expect HR departments to configure webservers.
But there are things that everyone has to do. Everyone has to file expenses from time to time, for example. So what do we do? We innovate to minimise the overhead of these tasks – using technologies such as Expensify.
For those of us who work in cyber security, security is a core competence. It is where we (hopefully) add the most value. For most people though, it is not. It is an overhead.
That does not mean it is not critical. In our startup, it used to be critical that I ran the payroll every month. But things certainly became a lot more efficient once I could pass that on to someone that is really good at that sort of administration and could focus my time on product development and working with customers.
So I would never argue that we are wrong to require cyber security training. It is critical. But we must recognise that it is an overhead, and ask how we can innovate to reduce the burden on people whose core competence is something quite different.
Innovation means thinking differently. In the mid 20th century, polio victims relied on an iron lung to survive. But the answer to polio was not a better iron lung: it was a vaccine. In the same way, the answer to the overhead of cyber security training is not better training: it is reducing the need for training. Rather than expecting employees to carry out an impossible risk assessment to determine whether to click on https://bit.ly/2KqBUuh, we need innovation to give them the tools to let them click on the link without worrying.
We will never eliminate cyber security training altogether. But we should always remember that it is an overhead that indicates a need for more innovation in cyber security.