In no year since the inception of the internet has cybersecurity loomed as such a major threat to national security and American businesses. In 2017, cyberattacks continue at peak intensity, sophistication, and frequency. Nation states unabashedly attack all kinds of organizations, and hacker crime rings aggressively look for security vulnerabilities. Data breaches get bigger, viruses like ransomware grow more insidious, and threats to critical infrastructure have the potential to harm our modern, internet-reliant way of life.
Amidst these threats, CISOs and security professionals worry we’re outgunned. Why?
Let’s look at some key drivers of this talent shortage.
Obviously, increased cyberattacks increase demand for cybersecurity talent. George Finney, Chief Security Officer at Southern Methodist University, points out that not only larger businesses but also smaller businesses have realized a need to hire cybersecurity professionals.
While slowly improving, the push to excite kids and adolescents about cybersecurity isn’t strong. Helen Patton, CISO of Ohio State University, said that there’s a lack of resources and awareness about cybersecurity in the K-12 education pipeline.
In a blog post, the RSA Conference said “Cybersecurity should be an enticing career for young adults. […] Yet, interest and awareness in cybersecurity careers remains low. Indeed, [a recent Raytheon-National Cyber Security Alliance (NCSA)] study suggests that both young adults and their parents need better information and guidance on cybersecurity careers.”
When people hire, recruit, and nurture talent for a new industry, they often fall back on old habits such as requiring many years of clear-cut experience. As Finney says, “We’re often looking for senior cybersecurity people, but there aren’t many out there. There weren’t good cybersecurity programs 20 years ago, so senior-level candidates will not have traditional experience.”
But while it can challenge CISOs to hire entry-level or senior cybersecurity people, the really tough spot is finding people with 3-5 years of experience so that they can start working on critical tasks immediately. Many CISOs say it takes about three years of real-world cybersecurity experience for an employee to really start adding value to a team.
Many security professionals note that cybersecurity job descriptions sometimes come off as impractical and stringent. Organizations need talent but they don’t realize how much they push away strong candidates by asking for unrealistic requirements. “People interchange terms like security, cybersecurity, IT, risk management, technology controls management, etc. and they all mean different things,” says Patton. “There’s not a common understanding or definition of what we mean when we say security. Each security team is different.” The way that security teams articulate these definitions affects the kinds of talent they attract—or repel.
George Finney, CISO of Southern Methodist University, notes that the security community is often influenced by traditional business hiring where specific backgrounds and skillsets are necessary. But Finney argues that this mindset can hurt the cybersecurity industry. “For example,” he says. “The Chief Information Security Officer is different than more specific roles such as forensic investigators, vulnerability malware hunters, or firewall engineers. They require more of a background in communication, planning, and strategy, and a diverse background helps.”
When aspects of security such as data breach notification tie up cybersecurity employees with paperwork and answering regulators, they’re not focused on actual security tasks and strategy. As Patton points out, “Because regulations are compliance-focused and not risk-based, our people are spending time in the wrong places sending information to regulators that has nothing to do with the security level of an organization.”
CISOs are optimistic that we will solve this talent shortage. They point to existing activities in place that help boost the number of cybersecurity candidates but also note that more needs to be done by businesses, colleges and universities, and Congress.
Continued coordinated efforts involving K-12, colleges and universities, the government, and the private sector must all work together to interest kids in cybersecurity at an early age. Activities such as Girl Scout security badges or adolescent boot camps are helpful.
However, while Patton supports legislation that funds K-12 training programs with proper curriculums and well-trained teachers, the goal is not just teaching students how to program. “It’s about being a secure digital citizen,” she says. “If you teach them how to program in kindergarten, that kind of language won’t exist when they’re in high school. Instead, a K-12 curriculum should cover areas such as social norms about using technology that includes security, bullying, etc.”
CISOs are fans of degree alternatives such as apprenticeships and certifications. For many entry- and junior-level cybersecurity jobs, career paths can open for people if they don’t have traditional educational experience. One CISO on our board said that she has hired people without college backgrounds who instead went through an apprentice program at her company—and she wants more of these people on her team.
Finney says, “Open your mind to entry-level people, coach them, and build them up. Although I still value certifications, I’ve stopped requiring them when I hire people.” Patton adds that businesses can’t expect people to make radical career shifts into cybersecurity. “We need to support people while they’re training. You can’t just leave a job and spend three months in an unpaid boot camp if someone has a family. Instead, we need to explore more train-for-pay programs to serve as a bridge for people who want to shift careers into cybersecurity.”
In addition to degree alternatives, openness to more diverse backgrounds makes sense because cybersecurity is such a wide, rich field. CISOs need to be open to cybersecurity talent from a diverse array of backgrounds that may include information technology, data analytics, psychology, law, financial services, software development, military, or government. Also, people from the liberal arts or creative backgrounds may also find a place in cybersecurity.
Patton suggests businesses need to stop whining and start funding. “Businesses need to be funding the teaching resources we need. At universities, there aren’t enough teachers to teach the classes. Big companies can not only fund universities but also give students experience while they’re getting a degree. That gives them 4-5 years of experience as they leave college, and that’s our sweet spot of experience we’re looking for when we hire.” Only with the largest companies involved can these programs scale.
And as data breaches show, cybersecurity is not just a technology—it’s a business issue that’s fully entered boardrooms across the United States. Finney says, “Colleges and universities need to start teaching cybersecurity in business schools, not just in engineering schools. Cybersecurity is a leadership, management, and culture issue – and all of that is led from the top. The more business leaders understand cybersecurity, the better off we’ll be. Cybersecurity must become a part of business 101, and business leaders must get ahead of the curve so that we’re not constantly just fighting breaches as a business ‘strategy’.”
Congress already recognizes the need to invest in cybersecurity talent as seen by recent bills such as the Cyber Scholarship Opportunities Act. Multiple bills have offered up ideas such as funding scholarships directly, incentivizing schools to offer cybersecurity programs, or encouraging employers to invest more in their employees. But Congress needs to do more.
Patton says, “I want to see legislation that is not prescriptive but aspirational. Define the outcome but not the path to get there. Let security professionals decide what secure means and how to achieve it. Right now, legislation is too specific.” And Finney says we need larger cybersecurity programs from the government whether it’s funding degrees or channeling resources toward educational programs.
At the NTSC, we see opportunities to learn what strategies and tactics best work to supply CISOs with talent and develop our nation’s cybersecurity workforce, and we plan on talking to lawmakers in Washington DC about ways they can help.
No one of us can reverse the cybersecurity talent shortage alone. Businesses, government, colleges and universities, K-12, and non-profit organizations like the NTSC must work together to solve the problem.