Everyone, including us, continues to harp about the cybersecurity talent gap. But while we recognize the problem, no one ever offers advice or recommendations on how key organizations, such as educational institutions, security groups and private companies, can help mend it and begin producing educated, experienced workers in troves.
The cybersecurity talent gap in numbers
The severity of the cybersecurity talent gap is well documented:
- As of last year, the U.S. had a total of 285,681 cybersecurity job openings. This equated to nearly 40% of the total employed cybersecurity workforce. – CyberSeek
- The total unfilled cybersecurity positions across the globe is predicted to hit 3.5 million in 2021. – Cybersecurity Ventures
- The demand for cybersecurity professionals will rise to about 6 million globally next year. – Palo Alto Networks
- India alone will need 1 million cybersecurity professionals by 2020. – National Association of Software and Services Companies (NASSCOM)
We can go on and on. Although the exact numbers might vary from one source to another, the message is the same – we are currently facing a cybersecurity talent shortage and the problem is expected to only grow for the next several years.
Today, I find most of my highly skilled security candidates coming out of the U.S. Military. While this career path has provided an extremely high level of talent and capabilities, relying solely on the military to close the skill gap won’t scale with today’s market demand.
Usually, when industries are faced with talent shortages, they turn to academic institutions for reinforcements. Although the academic community has stepped up to fill the gap, a lot has yet to be done.
For instance, 85 U.S. universities are now offering undergraduate and/or graduate degrees in cybersecurity. Indeed, this is a big improvement from only a handful that existed about a decade ago. However, when McAfee conducted a study of the cybersecurity skills shortage, only 23% of the respondents declared that education programs were preparing students to enter the industry.
And while some educational institutions are at least doing something to bridge the talent gap, the majority haven’t done anything at all. A global study by Raytheon involving 18-26 young adults revealed that:
- 69% of respondents were not offered classes needed to pursue a cybersecurity career or degree
- 62% said that no teacher mentioned cyber as a career option
- 61% didn’t know the tasks of cybersecurity professionals
Unless something is done to improve the disconnect between academia and industry, the cybersecurity talent gap will only grow wider.
Academia always plays a big role in alleviating the problem of talent shortage. However, as discussed in the previous section, academic institutions need to recalibrate their current approach so that when students graduate, they will be more prepared to address the actual information security issues of the industry.
Spark interest early
If you’ve read our blog post entitled “Cybersecurity = Man + Machine,” you understand that the path towards being a skilled cybersecurity professional, as with knighthood, is best kicked off at a young age. As early as middle school, a potential cybersecurity pro can acquire foundational skills like problem solving, data analysis and basic programming. I’m a huge believer that schools should put more emphasis on STEM (Science, Technology, Engineering and Mathematics) studies and develop programs to incite and encourage participation.
Integrate more into IT/computer-related courses and extracurricular activities
Graduates of IT and computer science-related programs are obviously prime candidates for cybersecurity jobs. However, many of these programs lack either cybersecurity courses or don’t have security incorporated into their subjects. A course in programming, for example, should incorporate security principles so that students will end up developing software that are inherently secure. It’s my opinion that every Computer Science course should include materials on security.
Because not everything can be taught in the classroom, students should also be encouraged to join cybersecurity organizations and exposed to competitions, like capture the flag, and other similar contests to boost interest in the field. Practical labs are a great way to reinforce and/or expand skills around securing systems and services.
Being the usual targets of cyberattacks, businesses and organizations need to make substantial contributions in closing the talent gap.
Partner with academia
While laying down foundational skills is key, even more can be accomplished if the industry has a deeper influence in curriculum development. This will enable graduates to gain the security skills and knowledge that are actually needed in real-world work environments.
This can be done if businesses collaborated closely with the academic community. P-TECH (Pathways in Technology Early College High School) is a perfect example of the kind of educational model we’re looking for. It brings together experts from industry (in this case, IBM) and academia in molding high school and college students to prepare them for jobs in IT.
Offer free trainings that enhance job-readiness
Initiatives like P-TECH do well at developing cybersecurity skills in school. But because cybersecurity training must be a continuous undertaking, businesses and organizations should also step in after graduation.
They can develop programs targeted at folks who have basic understanding of IT and security but still lack job-ready knowledge. One example is the Cisco Global Cybersecurity Scholarship, which provides free training, mentoring and certification to people coming out of universities and prepare them for a SOC (security operations center) analyst’s role.
Although academia and businesses are the usual suspects for closing talent gaps, industry and community groups can play a significant role as well. These groups, whose members are bound by a common interest, are in an excellent position to incorporate cybersecurity into their activities and encourage members to participate. The Cyber Patriot Program is a great example of success in this. The program created by the Air Force Association (AFA) inspires K-12 students toward careers in cybersecurity or other STEM disciplines. It focuses are three core areas:
- National Youth Cyber Defense Competition
- AFA CyberCamps
- Elementary School Cyber Education Initiative
Spur women empowerment in cybersecurity
According to a recent study, women make up only 11% of the information security workforce. But what’s even more amazing is that that number has remained unchanged since 2013. Clearly, we need to make cybersecurity more enticing for women and eliminate stigmas and misperceptions that’s preventing them from entering this field, as seen in our blog, “The Benefits of Being Blonde.” I cannot highlight this enough, women are a largely untapped workforce for security, and develop into some of the most talented security analysts, security engineers and forensic investigators I have seen throughout my career.
One initiative worth emulating is the partnership between Girl Scouts of the USA and Palo Alto Networks, which awards national cybersecurity badges to girls in grades K-12 who demonstrate mastery in the field. Initiatives like this, that bring down gender barriers and other traditional barriers in the workplace, can make a substantial impact to the overall problem.
Sponsor cyber boot camps
Organizations are now recognizing cyber boot camps as a sound way of augmenting the talent shortage in the cybersecurity domain. Cyber boot camps, as those organized by Securing Our eCity in San Diego, California, can be a jump off point for young students with potential and interest in the cybersecurity industry. In this annual event, the participants’ skills are honed and their awareness on security issues raised, enough for them to seriously consider pursuing a software development or IT-related degree and later joining the cyber workforce.
At the same time, cyber boot camps can also be utilized to quickly train individuals and fast track them into a career in the industry. This boot camp style-teaching model is particularly appealing to jobseekers who are looking to get a high 5-figure salary (for a start) after only about 4 to 6 months of the accelerated training program.
The cybersecurity talent gap is a gargantuan problem. But it can be solved by the collective efforts of industry, academe and community/industry groups. A few have already risen to the challenge. It’s time we did our part.