Too few cybersecurity professionals is a gigantic problem for 2019
As the new year begins gaining steam, there is ostensibly a piece of good news on the cyber front. Major cyberattacks have been in a lull in recent months, and still are.
The good tidings are fleeting, however. Attacks typically come in waves. The next one is due, and 2019 will be the worst year yet — a sad reality as companies increasingly pursue digitization to drive efficiency and simultaneously move into the “target zone” of cyberattacks.
This bad news is compounded by the harsh reality that there are not nearly enough cybersecurity pros to properly respond to all the threats.
The technology industry has never seen anything quite like it. Seasoned cyber pros typically earn $95,000 a year, often markedly more, and yet job openings can linger almost indefinitely. The ever-leaner cybersecurity workforce makes many companies desperate for help.
Between September 2017 and August 2018, U.S. employers posted nearly 314,000 jobs for cybersecurity pros. If they could be filled, that would boost the country’s current cyber workforce of 714,000 by more than 40 percent, according to the National Initiative for Cybersecurity Education. In light of the need, this is still the equivalent of pocket change.
Global gap of nearly 3 million cybersecurity positions
In a recent study, (ISC)2 — the world’s largest nonprofit association of certified cybersecurity pros — said there is now a gap of almost 3 million cybersecurity jobs globally — substantially more than other experts said might be the case years into the future.
Companies are trying to cope in part by relying more aggressively on artificial intelligence and machine learning, but this is still at a relatively nascent stage and can never do more than mitigate the problem. Big companies have their hands full, and it’s even worse for smaller enterprises. They’re attacked more — sometimes as a conduit to their larger business partners — because their defenses are weaker.
So what kind of cyber talent are companies and government entities looking for?
Preferably, they want people with a bachelor’s degree in programming, computer science or computer engineering. They also warm up to an academic background replete with courses in statistics and math. They want cybersecurity certifications as well, and, of course, experience in specialties plagued by staffing shortages, such as intrusion detection, secure software development and network monitoring.
These are ideal candidates, but, in fact, the backgrounds of budding cyber pros need not be nearly this good.
Only recently has formal training existed
Cybersecurity has long been a field that has embraced people with nontraditional backgrounds. Almost no cybersecurity pro over 30 today has a degree in cybersecurity and many don’t even have degrees in computer science. Professionals need some training to become familiar with select tools and technologies – usually at a community college or bootcamp — but even more they need curiosity, knowledge of the current threat landscape and a strong passion for learning and research. Particularly strong candidates have backgrounds as programmers, systems administrators and network engineers.
Asking too much from prospective pros isn’t the only reason behind the severe cyber manpower shortage. In general, corporations do too little to help their cyber staffs stay technically current and even less when it comes to helping their IT staffs pitch in.
(ISC) 2 formalized a study of more than 3,300 IT professionals less than 18 months ago and learned that organizations aren’t doing enough to properly equip and power their IT staffs with the education and authority to bolster their implementation of security technologies.
Inadequate corporate cyber training
One key finding was that 43 percent of those polled said their organization provides inadequate security training resources, heightening the possibility of a breach.
Universities suffer shortcomings, as well. Roughly 85 of them offer undergraduate and/or graduate degrees in cybersecurity. There is a big catch, however. Far more diversified computer science programs, which attract substantially more students, don’t mandate even one cybersecurity course.
Fortunately, positive developments are popping up on other fronts. Select states have begun taking steps to help organizations and individuals alleviate a talent shortage by building information-sharing hubs for local businesses, government and academia — all revolving around workforce development.
Georgia recently invested more than $100 million in a new cybersecurity center. A similar facility in Colorado, among other things, is working with area colleges and universities on educational programs for using the next generation of technology. Other states have begun following in their wake.
On another front, there is discussion about a Cybersecurity Peace Corps. The model would be similar to the original Peace Corps but specific to nascent cybersecurity jobs. The proposed program — which would require an act of Congress and does not yet exist — would place interested workers with nonprofits and other organizations that could not otherwise afford them and pay for their salaries and training.
Cyber bootcamps and community college programs
Much further along are cyber bootcamps and community college cybersecurity programs. The bootcamps accept non-programmers, train them in key skills and help them land jobs. Established bootcamps that have placed graduates in cyber jobs include SecureSet Academy in Denver, Open Cloud Academy in San Antonio and Evolve Security Academy in Chicago.
There are also more than a dozen two-year college cybersecurity programs scattered across the country. A hybrid between a bootcamp and community college program is the City Colleges of Chicago (CCC), which partners with the Department of Defense on a free cybersecurity training program for active military service members.
A small handful of technology giants have also stepped into the fray. IBM, for example, creates what it calls “new collar” jobs, which prioritize skills, knowledge and willingness to learn over degrees. Workers pick up their skills through on-the-job training, industry certifications and community college courses and represent 20 percent of Big Blue cybersecurity hires since 2015.
Technology companies still must work much harder to broaden their range of potential candidates, seeking smart, motivated and dedicated individuals who would be good teammates. They can learn on the job, without degrees or certificates, and eventually fit in well. You can quibble with how much time, energy and work this might take. It’s clear, however, that there is no truly viable alternative.
The Shutdown Is Doing Lasting Damage to National Security
But the longer-term costs to national security of this shutdown may be even greater than the short-term risks. One is the cost to the federal workforce itself. Experienced staff, such as foreign-service officers, are quitting. Our government is losing talent that took years to recruit and train, and will take years to replace. Agencies are accustomed to training their workforces to competency and then having their best-trained and highest-performing employees take on management and leadership roles. Instead, they may now find their most competent and able agents, investigators, and analysts leaving for the private sector.
Whether a federal agent is starting out as a GS-11 or has reached GS-15 status, federal employees in the national- and homeland-security fields—like their counterparts in the private sector or non-national-security government roles—have family responsibilities and financial commitments, such as mortgages and car payments. Public service is a calling, but the financial stress of an uncertain paycheck can cause mid-career national-security professionals to leave the federal workforce just when they are reaching the point where they have attained expert-level knowledge and substantial experience.
The government shutdown will have a long-lasting impact on America’s cybersecurity
- During the government shutdown, essential personnel are exempt from the furlough — so in theory, anyone preventing cybersecurity calamities is still showing up for work.
- But experts believe the loss of support staff makes the cybersecurity effects of a shutdown bad in the short term and worse in the long term.
The government is on hiatus. Enemies of the United States are not.
Why it matters: During the government shutdown, essential personnel are exempt from the furlough — so in theory, anyone preventing cybersecurity calamities is still showing up for work. But experts believe the loss of support staff makes the cybersecurity effects of a shutdown bad in the short term and worse in the long term.