Too few cybersecurity professionals is a gigantic problem for 2019

Robert Ackerman@BobAckerman

As the new year begins gaining steam, there is ostensibly a piece of good news on the cyber front. Major cyberattacks have been in a lull in recent months, and still are.

The good tidings are fleeting, however. Attacks typically come in waves. The next one is due, and 2019 will be the worst year yet — a sad reality as companies increasingly pursue digitization to drive efficiency and simultaneously move into the “target zone” of cyberattacks.

This bad news is compounded by the harsh reality that there are not nearly enough cybersecurity pros to properly respond to all the threats.

The technology industry has never seen anything quite like it. Seasoned cyber pros typically earn $95,000 a year, often markedly more, and yet job openings can linger almost indefinitely. The ever-leaner cybersecurity workforce makes many companies desperate for help.

Between September 2017 and August 2018, U.S. employers posted nearly 314,000 jobs for cybersecurity pros. If they could be filled, that would boost the country’s current cyber workforce of 714,000 by more than 40 percent, according to the National Initiative for Cybersecurity Education. In light of the need, this is still the equivalent of pocket change.

Global gap of nearly 3 million cybersecurity positions

In a recent study, (ISC)2 — the world’s largest nonprofit association of certified cybersecurity pros — said there is now a gap of almost 3 million cybersecurity jobs globally — substantially more than other experts said might be the case years into the future.

Companies are trying to cope in part by relying more aggressively on artificial intelligence and machine learning, but this is still at a relatively nascent stage and can never do more than mitigate the problem. Big companies have their hands full, and it’s even worse for smaller enterprises. They’re attacked more — sometimes as a conduit to their larger business partners — because their defenses are weaker.

So what kind of cyber talent are companies and government entities looking for?

Preferably, they want people with a bachelor’s degree in programming, computer science or computer engineering. They also warm up to an academic background replete with courses in statistics and math. They want cybersecurity certifications as well, and, of course, experience in specialties plagued by staffing shortages, such as intrusion detection, secure software development and network monitoring.

These are ideal candidates, but, in fact, the backgrounds of budding cyber pros need not be nearly this good.

Only recently has formal training existed

Cybersecurity has long been a field that has embraced people with nontraditional backgrounds. Almost no cybersecurity pro over 30 today has a degree in cybersecurity and many don’t even have degrees in computer science. Professionals need some training to become familiar with select tools and technologies – usually at a community college or bootcamp — but even more they need curiosity, knowledge of the current threat landscape and a strong passion for learning and research. Particularly strong candidates have backgrounds as programmers, systems administrators and network engineers.

Asking too much from prospective pros isn’t the only reason behind the severe cyber manpower shortage. In general, corporations do too little to help their cyber staffs stay technically current and even less when it comes to helping their IT staffs pitch in.

(ISC) 2 formalized a study of more than 3,300 IT professionals less than 18 months ago and learned that organizations aren’t doing enough to properly equip and power their IT staffs with the education and authority to bolster their implementation of security technologies.

Inadequate corporate cyber training

One key finding was that 43 percent of those polled said their organization provides inadequate security training resources, heightening the possibility of a breach.

Universities suffer shortcomings, as well. Roughly 85 of them offer undergraduate and/or graduate degrees in cybersecurity. There is a big catch, however. Far more diversified computer science programs, which attract substantially more students, don’t mandate even one cybersecurity course.

Fortunately, positive developments are popping up on other fronts. Select states have begun taking steps to help organizations and individuals alleviate a talent shortage by building information-sharing hubs for local businesses, government and academia — all revolving around workforce development.

Georgia recently invested more than $100 million in a new cybersecurity center. A similar facility in Colorado, among other things, is working with area colleges and universities on educational programs for using the next generation of technology. Other states have begun following in their wake.

On another front, there is discussion about a Cybersecurity Peace Corps. The model would be similar to the original Peace Corps but specific to nascent cybersecurity jobs. The proposed program — which would require an act of Congress and does not yet exist — would place interested workers with nonprofits and other organizations that could not otherwise afford them and pay for their salaries and training.

Cyber bootcamps and community college programs

Much further along are cyber bootcamps and community college cybersecurity programs. The bootcamps accept non-programmers, train them in key skills and help them land jobs. Established bootcamps that have placed graduates in cyber jobs include SecureSet Academy in Denver, Open Cloud Academy in San Antonio and Evolve Security Academy in Chicago.

There are also more than a dozen two-year college cybersecurity programs scattered across the country. A hybrid between a bootcamp and community college program is the City Colleges of Chicago (CCC), which partners with the Department of Defense on a free cybersecurity training program for active military service members.

A small handful of technology giants have also stepped into the fray. IBM, for example, creates what it calls “new collar” jobs, which prioritize skills, knowledge and willingness to learn over degrees. Workers pick up their skills through on-the-job training, industry certifications and community college courses and represent 20 percent of Big Blue cybersecurity hires since 2015.

Technology companies still must work much harder to broaden their range of potential candidates, seeking smart, motivated and dedicated individuals who would be good teammates. They can learn on the job, without degrees or certificates, and eventually fit in well. You can quibble with how much time, energy and work this might take. It’s clear, however, that there is no truly viable alternative.

from: https://techcrunch.com/2019/01/27/too-few-cybersecurity-professionals-is-a-gigantic-problem-for-2019/

***

A sign is seen on a fence at the General Grant National Memorial, for former U.S. President Ulysses S. Grant, as the partial U.S. government shutdown continues, in Manhattan, New York City, New York, U.S., January 7, 2019. REUTERS/Mike Segar – RC1A625D3490

The Shutdown Is Doing Lasting Damage to National Security

But the longer-term costs to national security of this shutdown may be even greater than the short-term risks. One is the cost to the federal workforce itself. Experienced staff, such as foreign-service officers, are quitting. Our government is losing talent that took years to recruit and train, and will take years to replace. Agencies are accustomed to training their workforces to competency and then having their best-trained and highest-performing employees take on management and leadership roles. Instead, they may now find their most competent and able agents, investigators, and analysts leaving for the private sector.

Whether a federal agent is starting out as a GS-11 or has reached GS-15 status, federal employees in the national- and homeland-security fields—like their counterparts in the private sector or non-national-security government roles—have family responsibilities and financial commitments, such as mortgages and car payments. Public service is a calling, but the financial stress of an uncertain paycheck can cause mid-career national-security professionals to leave the federal workforce just when they are reaching the point where they have attained expert-level knowledge and substantial experience.

from: https://www.theatlantic.com/ideas/archive/2019/01/how-shutdown-damaging-national-security/580540/

***

The government shutdown will have a long-lasting impact on America’s cybersecurity

by Joe Uchill, Axios, Business Insider

During the government shutdown, essential personnel are exempt from the furlough — so in theory, anyone preventing cybersecurity calamities is still showing up for work.
But experts believe the loss of support staff makes the cybersecurity effects of a shutdown bad in the short term and worse in the long term.

The government is on hiatus. Enemies of the United States are not.

Why it matters: During the government shutdown, essential personnel are exempt from the furlough — so in theory, anyone preventing cybersecurity calamities is still showing up for work. But experts believe the loss of support staff makes the cybersecurity effects of a shutdown bad in the short term and worse in the long term.

The fallout: Consider the difficulty of maintaining security in government networks before a government shutdown. Now try doing that with fewer people.

“Defending federal networks is already an act of triage, due to personnel shortages, legacy IT overhang, uneven risk management practices and a hostile threat environment. Furloughs make a hard job even harder,” said Andrew Grotto, a former White House cybersecurity adviser for Presidents Obama and Trump and a current employee of Stanford’s Hoover Institution.
While critical personnel are still on duty during a shutdown, he added, “What that means as a practical matter is that these people have to do even more than usual.”

Those problems will stick around after the shutdown. It’s likely, say multiple former federal employees Codebook spoke to, that federal networks will fall behind on basic hygiene tasks.

“Government shutdowns tend to affect support activities disproportionately, such as hiring or vetting contracts. Thus, over time, personnel slots will go unfilled and contracts will expire, making it difficult to sustain the workforce or upgrade equipment,” noted Michael Daniel, former White House cybersecurity coordinator and current president and CEO of the industry group Cyber Threat Alliance.

In the long term, this could do irreparable damage to the federal government’s ability to hire cybersecurity talent.

The unemployment rate for trained cybersecurity personnel is famously at 0%, the private sector pays better and the only advantage the government has in hiring is the importance of the work and the gratitude of a nation.
Willingness to shutter the government doesn’t speak too highly to the perceived value of the job or its employees.

Departments devoted to cybersecurity policies will grind to a halt.

The National Institute of Standards and Technology, which is developing a widely awaited privacy framework, is seeing its staff reduce to 49 out of its normal cohort of roughly 3,000 employees.
The Department of Homeland Security’s newly christened Cybersecurity and Infrastructure Security Agency will be without a substantial amount of support staff. By DHS’ tally, 43% of the workforce — over 1,500 employees — are furloughed.

Security-related investigations and prosecutions at the FBI and Department of Justice will continue with all employees carried over.

The bottom line: Furloughing cybersecurity staff creates both short-term and long-term vulnerabilities.

“Cyber threats don’t operate on Washington’s political timetable, and they don’t stop because of a shutdown,” said Lisa Monaco, former assistant to the president for homeland security and counterterrorism.

from: https://www.businessinsider.de/government-shutdown-american-cybersecurity-2019-1?r=US&IR=T