Sophisticated organizations defend themselves against cyber attacks with tools, products, services, and perhaps most importantly highly capable security professionals. But it is becoming very difficult to attract and retain good talent. The pool of qualified available resources has run dry and it is now up to the academic institutions to replenish the workforce population. It won’t be easy, but higher education must save cybersecurity!
The demand for security professionals is at an all-time high, but the labor pool is largely barren of qualified candidates. Various data sources paint a similar picture with estimates hovering around ~70% of security organizations are understaffed, ~40% of junior-level jobs are vacant and senior-level roles are unfilled ~50% of the time. A lack of security talent, especially in leadership roles, is a severe impediment to organizations in desperate need of staffing in-house teams.
Hiring a quality cybersecurity professional is not as easy as you might think. Universities are trying urgently to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel. Some experts have described cybersecurity as a “zero-unemployment” field. In fact, the gap is widening, with 2020 predictions expecting the shortfall to reach 1.5 million workers. Adding to the challenge, with demand high and supply low, security technology salaries are going up fast and are far outpacing their IT counterparts. Specialty positions show strong double digit growth in salary over last year’s figures. Leadership roles are in great demand as well, with compensation rising to match. Relief of this situation will only come about by balancing the supply side of the equation.
Barriers to resolution
Higher education institutions and governing bodies are working feverishly to fill the tremendous demand with significant numbers of new security graduates, but serious barriers stand in the way. Academic structures are not well aligned to the needs of the industry, there is a lack of consistent degree and curriculum standards, and educating students with relevant content, in a rapidly changing field, is proving difficult with traditional practices.
Positions within the industry are constantly evolving, with new roles and responsibilities emerging at a rapid pace. The titles are changing as are the expectations for education and experience. A recent inventory of federal job responsibilities showed more than 100 occupation-series which include a significant amount of cybersecurity work, representing ~1.6 million employees or roughly 4% of the workforce. Adding to the mix are new industry jobs emerging around privacy, big data, internet-of-things, policy, customer protection, product design, testing, audit, investigation, and legal aspects of security. Education institutions are having a difficult time in aligning the skillsets of graduates with the shifting landscape of what employers truly need at any given moment.
Consistency across different higher education institutions is a separate problem which must be addressed. A nationally recognized degree in cybersecurity does not exist. Instead, most programs are customized and can have a vastly different emphasis and graduation requirements depending upon the host university. There is not even a consensus on which departments such programs should reside. A 2014 Ponemon report showed a variety of academic departments where cybersecurity is situated, ranging from engineering, computer science, library, military, business, and legal studies. The result are clusters of graduates entering the workforce possessing vastly different sets of educational knowledge and security skills. This is problematic for both potential employers trying to fill a position and prospective applicants desiring to show competitive aptitude.
Teaching cybersecurity is difficult in of itself. The technology, threats, and attack methods rapidly shift. It seems every eight to twelve months, the industry swings to an entirely new focus. A fellow security professional stated “if they are learning from a book, it is already outdated”. Traditional rote teaching styles are insufficient to train professionals as they rely heavily on static material. More dynamic sources of information, and processes to integrate them into the classroom, are needed. Cybersecuirty instruction must be agile and stay very close to the pulse of what is happening in the real world.
Expectations are not being realized by both recent hires into the field as well as companies who are investing in college graduates. Students told me it was the last six months of schooling which was most relevant. Before that, most describe the knowledge as an interesting history lesson, but not very practical. Learning the fundaments are always required to understand the landscape and establish base skills, but the real value is in the pragmatic application of knowledge to supporting risk mitigation. I have seen frustration with many companies who have hired graduates, only to discover they are not prepared for day-one. They are glad to have them as part of the team, but the organization must start near square-one to teach them the current challenges and methods to be successful. Simply put, both sides expect more.
With the vast differences in programs, teaching backgrounds, and content interpretation, sometimes even the basics are overlooked. Many graduates don’t understand the practical distinction between obstacles versus opposition. I have found that most, with the exception of those with a statistical background, don’t adequately grasp the relational difference between vulnerability and risk-of-loss. Most concerning is how many students have a very narrow viewpoint and overlook how cybersecurity is both a technology and behavioral based discipline. Far too many technical graduates see security as solely an engineering problem, where the right hardware, software, or configuration will achieve the goal and forever solve the puzzle. This is just not realistic. Cybersecurity weaves both technology and human elements together in a symbiotic way. Only addressing one aspect may improve the situation, but will ultimately fail as an isolated stratagem. These are fundamental constructs every security professional should be fluent in before entering the labor force.
The solution is apparent
The solution will arrive in three parts. First, partnerships between higher education and the industry will need to attract more talent into cyber sciences, including women and underrepresented minorities. The current numbers of students are just not enough to satisfy demand and expanding diversity adds fresh perspectives to creatively tackle difficult problems.
Second, students must be trained with relevant aspects and materials that take into account the highly dynamic subject-matter and environment. Optimally, this should extend to post-graduates as part of continual learning programs. The professionals of today also have a role to play. They must contribute to the growth and security of tomorrow by advising and mentoring students, assisting educators, and contributing to the development of curriculums. In a recent presentation to educators and academia administrators at the NSF Cybersecurity Summit, I recommended both an expansion of traditional topics and engaging industry practitioners to help provide timely insights and discussions for students. Teamwork across academia and the private sector is mutually beneficial and will help raise the effectiveness of graduates as they enter the workforce.
Third, the curriculums must be designed to align to the security roles in the market. An adequate level of consistency across teaching institutions, attesting to a completion of applicable studies is required. In short, a recognized degree program for cyber sciences must be established.
Progress toward the goal
The shortfall in talent is no surprise as the industry has seen this coming for some time and a number of groups have been working diligently to change the academic system which supports cybersecurity professionals. The US National Initiative for Cybersecurity Education (NICE) is a strategic organization tying together education, government and the private sectors to address cybersecurity education and workforce development. The Association for Computing Machinery (ACM) is an international society for computing working to develop uniformed knowledge content for cybersecurity roles.
Working independently, many higher education institutions are taking the initiative to bring in experts to help teach and advise students to deliver more relevant education and better prepare them for the jobs they will be seeking. They are reaching out to industry professionals to help staff and students stay current on latest trends, research, and best-practices.
The Cyber Education Project (CEP) Industry Advisory Board is leading a national academic accreditation program effort to formally establish a Cyber Science degree and necessary certification criteria. Institutionally, we should see a formal Cyber Science degree be approved in 2016 to establish consistent guidelines for graduates across the landscape of higher education.
In the meantime however, businesses must adapt to the challenging employment environment. Hiring of technical and leadership cybersecurity staff will continue to be difficult for the foreseeable future. Human Resource (HR) departments can play a crucial role in planning and addressing problems. In a presentation to a Chief Human Resources organization last year, I outlined a number of different areas where HR can facilitate practices to both hold on to good talent already in place and plan accordingly to hire qualified candidates.
HR team must staying on top of competitive salary reviews for current security professionals to insure compensation is at the right level to retain talent in the face of headhunters who are currently circling like sharks, hungry for any opportunity to harvest security professionals. HR representatives should also be prepared to have candid discussions with managers asking to hire new security staff, as the market price may be misaligned to budgets, compensation disparity could be disruptive to current staffing expectations, and it may take an unusually long time to successfully fill a role. In some cases, outsourcing may be the best option which should be up for consideration.
Must save cybersecurity
The industry is in trouble as a huge deficit of available professionals continues to grow. Without well trained personnel, most organizations cannot establish or maintain a sufficient cybersecurity posture. Academia is the gateway to prepare the next generation of professionals and universities are working purposefully to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel. Progress is slow, but inroads are being made by the best of academia. Cybersecurity may be fought with technology, but it is people who triumph. We must invest in the future generations of professionals who will carry-on the fight. Higher education must save cybersecurity.