Earlier this year, CSO Magazine reported the results of the annual survey of global IT professionals from the IT research firm Enterprise Strategy Group (ESG). Respondents identified cybersecurity as the top area where their organization has a problematic shortage of skills. That information is not new this year; the cybersecurity skills deficit has held the top position in every year. In fact, they report that the problem is increasing year over year.
As a society, we need to take this issue more seriously. We are quickly moving towards a world in which cyber security is tantamount to national security. The United States spends more on national defense than anyone else in the world by a considerable margin but without significant investment in cyber security, we will be woefully unprepared for our near-future defense needs.
That investment isn’t just spending money on technology; we must have in place trained people with the skills and experience to implement security technologies—and adapt as threats evolve.
The good news is, we can solve these problems. We have examples from countries such as the United Kingdom, which has implemented programs attract young people to cyber security careers with significant earning potential and enable students to get the training and experience they need to break into the field at no cost to themselves. With the rising cost of education in the US, a similar program could be extremely attractive and beneficial to both our national security systems and economy.
Before we can expect to see that kind of investment, we need to address the issues that have created the gap: the value we place on our information security professionals and the priority we give to their work.
Closing the Cybersecurity Skills Gap Is a Long-Term Problem
As I explained in my most recent post, the shortage of qualified cybersecurity professionals is growing increasingly serious. However, no short-term solution is going to produce an army of qualified professionals to help fill that gap. Meanwhile, companies compete for the services of the available professionals by creating more attractive compensation packages. Some organizations have the means to attract top talent; some don’t. When I talk with InteliSecure’s clients, I get a sense of the universal frustration they face. Even large enterprises tell me, “Regardless of what I pay, the best and brightest cyber-security professionals do not want to come work for us when they can go down the road and work for Apple or Google.”
Managed data protection providers tend to have access to better training and more sought-after mentors in the cybersecurity space than other companies would, providing attractive career options to cybersecurity professionals, especially early in their careers. A recruiter once told me that the reason he targeted my SOC personnel so aggressively was that each of them had exposure to at least eight systems. Six months of experience in the managed services environment was comparable to four years of experience in a more traditional environment—making those people extremely valuable.
However, while managed data protection services are a force multiplier for the overall cybersecurity labor force, they are not a long-term solution to the larger problem of attracting more qualified professionals to face the mounting challenges presented by increasingly sophisticated cyber threats.
Deepening the Talent Pool
To strengthen the average talent in the cybersecurity labor market, we first need to address some deeply entrenched issues and misconceptions about the field.
Encourage the brightest from all backgrounds to apply.
A major problem that faces the sector today: Cybersecurity as a career field is overwhelmingly male, and overwhelmingly Caucasian. While there is nothing wrong with white males, we need to appeal to a wider population to build the numbers, skill sets, and creative problem-solving that’s required to face current and future challenges. Building that broader appeal starts when we destroy the public perception that information security professionals sit all night in hoodies in front of a multitude of monochromatic screens eating Cheetos and drinking Mountain Dew. (Most of us don’t do that.)
Make cybersecurity more approachable for people with non-tech backgrounds.
Most people are surprised to learn that there are many avenues into security that require few technical skills or experience. There’s a place for you in Cybersecurity even if you don’t write code or know Python or Ruby. (News flash: I’ve done pretty well for myself in this space and I don’t know those things.) This first challenge revolves around convincing smart, creative, savvy people from a variety of disciplines and backgrounds that we need them to join the fight with us.
Some of the most difficult positions to fill are positions in which the applicant must understand security and technology enough to interface with the technical teams while possessing the communication skills and business acumen necessary to communicate security challenges, investments, and results to a business audience.
Build meaningful connections for incoming generations.
We can build a more diverse workforce by getting them excited about joining us in this battle. What we do is fun, interesting, and of paramount importance to the world as a whole, and we need to get the word out. Millennials want more than money; they want to do things that matter. Few things will matter more in the next 40 years than cybersecurity.
Just think of the impact cybersecurity threats have had on the world as a whole over the last seven years. Large breaches have made major news many times; security leaks been the subject of many books, movies, and news broadcasts; and security failings and mishandling of data even significantly impacted the 2016 US presidential election. (Consider the possibility that if proper data handling and information security had been in place, there is a good chance the United States of America would have sworn in a President Hillary Clinton rather than a President Donald Trump in January of 2017.)
We need to remind career-minded professionals that in this field, they have the chance to work on issues with that level of national and international importance and protect the potentially historic outcomes.
If we aim to compete globally, we must do more! In China, Russia, and other countries, understanding computers and cybersecurity is perceived to be cool, and those countries have active programs in place to develop interest and investment in cybersecurity workers.
However, in the US, it’s no secret that we’re consistently among the highest achieving nations in the Olympics but significantly lag behind many other developed nations in education for Science Technology Engineering and Math (STEM) disciplines. As a society, we get what we value. If we hope to play a leading role in international affairs, be ready for the next generation of warfare, and have a fighting chance to protect our business interests, we must find ways to engage young people in a way that we currently only engage athletes.
The future of intelligence gathering does not lie with men in black coats following targets and planting bugs in hotel rooms, but rather men and women behind computer terminals seeking to gain access to resources that are sensitive to their adversaries. Simply put, the future of international espionage looks far more like Kevin Mitnick than James Bond.
Additionally, future international conflicts will not be automatically be fought with tanks and machine guns on a battlefield but more often played out in cyberspace. For example, when the United States was concerned about Iran’s nuclear reactors in the early 2000s, the military did not, as they would have done in the past, go to war and start a bombing campaign. Instead, it is widely believed they deployed a computer virus known as Stuxnet, which successfully destroyed some of the infrastructure. Today, the capabilities of nations are measured as much by the skill level of their attackers and defenders in cyberspace as by the number of tanks, planes, ships, and soldiers they are able to deploy.
Make Closing the Gap a Priority
Deepening the cybersecurity talent pool will require effort and investment from both public and private entities. It also requires a shift in how we view cybersecurity as a profession and how we perceive the professionals who occupy those roles.
The challenges of our time demand that we do a better job of attracting and training the type of people that will be on the front line of protecting legitimate interests from nefarious actors now and in the future.