Too few cybersecurity professionals is a gigantic problem for 2019

Robert Ackerman Jr. Contributor
Robert Ackerman Jr. is the founder and a managing director of
AllegisCyber, an early-stage
cybersecurity venture firm, and a founder of DataTribe, a cybersecurity startup
“studio” in metropolitan Washington, D.C.

As the new year begins gaining steam, there is ostensibly a
piece of good news on the cyber front. Major cyber attacks have
been in a lull in recent months and still are.

The good tidings are fleeting, however. Attacks typically come
in waves. The next one is due, and 2019 will be the worst year yet
— a sad reality as companies increasingly pursue digitization to
drive efficiency and simultaneously move into the “target zone”
of cyberattacks.

This bad news is compounded by the harsh reality that there are
not nearly enough cybersecurity pros to properly respond to all the
threats.

The technology industry has never seen anything quite like it.
Seasoned cyber pros typically earn $95,000 a year, often markedly
more, and yet job openings can linger almost indefinitely. The
ever-leaner cybersecurity workforce makes many companies desperate
for help.

Between September 2017 and August 2018, U.S. employers posted
nearly 314,000 jobs for cybersecurity pros. If they could be
filled, that would boost the country’s current cyber workforce of
714,000 by more than 40%, according to the National Initiative for
Cybersecurity Education. In light of the need, this is still the
equivalent of pocket change.

Towfiqu Photography via Getty Images

Global Gap of Nearly 3 Million Cybersecurity
Positions

In a recent study, (ISC)2 – the world’s largest nonprofit
association of certified cybersecurity pros – said there is now a
gap of almost 3 million cybersecurity jobs globally –
substantially more than other experts said might be the case years
into the future.

Companies are trying to cope in part by relying more
aggressively on artificial intelligence and machine learning, but
this is still at a relatively nascent stage and can never do more
than mitigate the problem. Big companies have their hands full, and
it’s even worse for smaller enterprises. They’re attacked more
— sometimes as a conduit to their larger business partners –
because their defenses are weaker.

So what kind of cyber talent are companies and government
entities looking for?

Preferably, they want people with a bachelor’s degree in
programming, computer science or computer engineering. They also
warm up to an academic background replete with courses in
statistics and math. They want cybersecurity certifications as
well, and, of course, experience in specialties plagued by staffing
shortages, such as intrusion detection, secure software development
and network monitoring.

These are ideal candidates, but, in fact, the backgrounds of
budding cyber pros need not be nearly this good.

Only Recently Has Formal Training Existed

Cybersecurity has long been a field that has embraced people
with nontraditional backgrounds. Almost no cybersecurity pro over
30 today has a degree in cybersecurity and many don’t even have
degrees in computer science. Professionals need some training to
become familiar with select tools and technologies – usually at a
community college or boot camp — but even more they need
curiosity, knowledge of the current threat landscape and a strong
passion for learning and research. Particularly strong candidates
have backgrounds as programmers, systems administrators and network
engineers.

Asking too much from prospective pros isn’t the only reason
behind the severe cyber manpower shortage. In general, corporations
do too little to help their cyber staffs stay technically current
and even less when it comes to helping their IT staffs  pitch
in.

(ISC) 2 formalized a study of more than 3,300 IT professionals
less than 18 months ago and learned that organizations aren’t
doing enough to properly equip and power their IT staffs with the
education and authority to bolster their implementation of security
technologies.

Inadequate Corporate Cyber Training

One key finding was that 43% of those polled said their
organization provides inadequate security training resources,
heightening the possibility of a breach.

Universities suffer shortcoming as well. Roughly 85 of them
offer undergraduate and/or graduate degrees in cybersecurity. There
is a big catch, however.  Far more diversified computer science
programs, which attract substantially more students, don’t
mandate even one cybersecurity course.

Fortunately, positive developments are popping up on other
fronts. Select states have begun taking steps to help organizations
and individuals alleviate a talent shortage by building information
sharing hubs for local businesses, government and academia — all
revolving around workforce development.

Georgia recently invested more than $100 million in a new
cybersecurity center. A similar facility in Colorado, among other
things, is working with area colleges and universities on
educational programs for using the next generation of technology.
Other states have begun following in their wake.

On another front, there is discussion about a Cybersecurity
Peace Corps. The model would be similar to the original Peace Corps
but specific to nascent cybersecurity jobs. The proposed program
— which would require an act of Congress and does not yet exist
— would place interested workers with nonprofits and other
organizations that could not otherwise afford them and pay for
their salaries and training.

Cyber Boot Camps and Community College
Programs

Much further along are cyber boot camps and community college
cybersecurity programs. The boot camps accept non-programmers,
train them in key skills and help them land jobs. Established boot
camps that have placed graduates in cyber jobs include Securest
Academy in Denver, Open Cloud Academy in San Antonio and Evolve
Security Academy in Chicago.

There are also more than a dozen two-year college cybersecurity
programs scattered across the country. A hybrid between a boot camp
and community college program is the City Colleges of Chicago
(CCC), which partners with the Department of Defense on a free
cybersecurity training program for active military service
members.

A small handful of technology giants have also stepped into the
fray. IBM, for example, creates what it calls “new collar”
jobs, which prioritize skills, knowledge and willingness to learn
over degrees. Workers pick up their skills through on-the-job
training, industry certifications and community college courses and
represent 20% of Big Blue cybersecurity hires since 2015.

Technology companies still must work much harder to broaden
their range of potential candidates, seeking smart, motivated and
dedicated individuals who would be good teammates. They can learn
on the job, without degrees or certificates, and eventually fit in
well. You can quibble with how much time, energy and work this
might take. It’s clear, however, that there is no truly viable
alternative.

Source: FS – All Tech News 2
Too few cybersecurity professionals is a gigantic problem for 2019