In order to strengthen the average talent in the cybersecurity labor market, we first need to address a major problem that faces the cybersecurity sector. Cybersecurity as a career field is overwhelmingly male and overwhelmingly Caucasian. In fact, according to a recent article from bankinfosecurityt.com citing government statistics, “Whites, who account for about 80 percent of the American workforce, make up 70 percent of the IT security workforce. About 7 percent of those categorized as information security analysts are African Americans; blacks make up about 12 percent of the overall workforce. Latinos make up about 5 percent of the IT security labor force vs. 15 percent of the overall workforce. Women also are underrepresented in the IT security workforce: about 8 percent vs. 45 percent overall.” (http://www.bankinfosecurity.com/women-minorities-scarce-in-security-field-a-4143).
In order to produce the number of cybersecurity professionals we will need to face current and future challenges, we will need to appeal to a wider audience.
To do so, we must first destroy the public perception that Information Security professionals sit all night in hoodies in front of a multitude of monochromatic screens eating Cheetos and drinking Mountain Dew. Most of us don’t do that. In fact, there are many avenues into security that require few technical skills or experience.
We need to do a better job of making cybersecurity more approachable. We need to get the word out that there’s a place for you in cybersecurity even if you don’t write code or know Python or Ruby. News flash: I’ve done pretty well for myself in this space and I don’t know those things. Some of the most difficult positions to fill are positions in which the applicant must understand security and technology enough to interface with the technical teams while possessing the communication skills and business acumen necessary to convey security challenges, investments and results to a business audience. This first challenge revolves around convincing potential employees that we need people just like them to join the fight with us.
Additionally, we need to build a desire for a more diverse workforce to join us in this battle by explaining how what we do is fun, interesting and of paramount importance to the world as a whole. Millennials want more than money. They want to do things that matter. Few things will matter more in the next 40 years than cybersecurity. Just think of the impacts cybersecurity has had on the world as a whole over the last 4 years. It has made major news many times, been the subject of many books, movies and news broadcasts, and even significantly impacted the 2016 US presidential election. If you think about it, had it not been for the alleged mishandling of confidential information utilizing a private email server and significant leaks of information resulting from the hacking of the Democratic National Committee and Hillary Clinton’s staff, there is a good chance the United States of America would have sworn in President Hillary Clinton rather than President Donald Trump.
Fundamentally, security is both a business problem as well as a people problem. In my book (find it on Amazon here https://www.amazon.com/Building-Comprehensive-Security-Program-Guidelines/dp/1484220528/ref=sr_1_1?ie=UTF8&qid=1478692168&sr=8-1&keywords=jeremy+wittkop) I do my best to create a channel in which people who are still defining what they’d like their careers to be can understand how they can contribute in a multitude of ways while simultaneously earning a good living.
If we aim to compete globally, we must do more! In China, Russia and other countries, understanding computers and cybersecurity is perceived to be cool. If we hope to play a leading role in the next generation of warfare and have a fighting chance to protect our business interests, we must find ways to engage young people in a way that we currently only engage athletes. It’s no secret that we’re consistently among the highest achieving nations in the Olympics but significantly lag behind many other developed nations in Science Technology Engineering and Math (STEM) disciplines from an educational perspective. As a society, we get what we value.
We should change what we value with respect to cybersecurity as well. The future of espionage does not lie with men in black coats following targets and planting bugs in hotel rooms, but rather men and women behind computer terminals seeking to gain access to resources that are sensitive to their adversaries. Simply put, the future of international espionage looks far more like Kevin Mitnick than James Bond.
Additionally, the future of some aspects of warfare will not be fought with tanks and machine guns on a battlefield but will be fought in cyberspace as more of a completion of intelligence and technical skill than a test of bravery and physical prowess. Prior to the nuclear agreement with Iran, when the United States was concerned about Iran’s nuclear reactors, the military did not, as they would have done in the past, go to war and start a bombing campaign. Instead, it is widely believed they deployed a computer virus known as Stuxnet, which successfully destroyed some of the infrastructure.
Note: No one from the Israeli or American military or intelligence apparatus has ever publicly acknowledged responsibility for Stuxnet and I certainly do not have first-hand knowledge that they are responsible.
Iran had hardened those targets against bombs dropped from above by burying them underground in bunkers, but they were unprepared for the cyber attack which succeeded in damaging its target. There will still be a role for kinetic warfare in the defense equation, but cyber-warfare is poised to take an increasingly prominent role on the world stage with respect to conflicts between nations. The capabilities of nations then, will be measured as much by the skill level of their attackers and defenders in cyberspace as it will by the number of tanks, planes, ships, and soldiers they are able to deploy.
Another way that the cybersecurity talent pool is being deepened and organizations without the resources to protect themselves are being assisted in the United States is through the National Cybersecurity Intelligence Center in Colorado Springs, CO. Aside from providing services to small businesses, this center will help attract and train large numbers of cybersecurity professionals who are likely to move on to other cybersecurity roles at some point.
Deepening the talent pool will require efforts from both public and private entities, as well as, a shift in how we view cybersecurity as a profession and the professionals who occupy those roles. However, the challenges of our time demand that we do a better job at attracting and training the type of people that will be on the front line of protecting legitimate interests from nefarious actors now and in the future.
The cybersecurity skills gap is a real problem facing businesses and nations that is projected to get worse in the future. It is a multi-faceted problem that will require a multi-faceted solution. In order to solve the long-term problem, those of us in cybersecurity must do a better job of telling our story and recruiting the best and brightest among us to join the fight.