Late last year, underscoring the current U.S. cyber employee shortage of more than 300,000 workers, the prestigious Aspen Institute Cyber and Technology Strategy Group asked its sizeable cast of blue-chip cybersecurity experts to study solutions to this years-long – and ever-worsening – problem.
The group, which is co-chaired by IBM Chairman and CEO Ginni Rometty and whose other members include Symantec CEO Greg Clark and Michael Hayden, a former director of the CIA and National Security Agency, ultimately produced eight recommendations, noting that no single one alone would work.
A couple of them were good. One recommended “widening the aperture of candidate pipeline” by adopting New Collar principles, such as the cessation of the practice of making degrees a mandatory hiring requirement. Also noteworthy was a suggestion that companies make a bigger commitment to cybersecurity employee development and training.
Most of the recommendations, however, were a yawn; they were neither new nor creative and, most importantly, would not be particularly effective. This included a suggestion that job openings become more “engaging” and more prospective employers no longer “over-spec” job requirements. Another was to launch apprenticeship programs to train candidate pipelines at scale. This might sound good, but it has been tried more than once and too often discontinued for lack of sufficient commitment.
Two Obvious Questions
Two key questions come to mind. The first is why the cyber workforce shortage continues to worsen virtually non-stop. The answer is that demand significantly outpaces supply, large candidate pools are left untapped, employer requirements too often are not in sync with the needed skills, and awareness of cyber career paths remains low.
Given this, the other question, obviously, is what to do about these hurdles.
The answer is to not refer this information to think tanks, which no doubt know it already, but rather to entities that can make a difference. A case in point are select states that have begun taking steps to help organizations and individuals alleviate a talent shortage by building information sharing hubs or taking other steps revolving around workforce development. Two standouts are the states of Georgia, which recently invested more than $100 million in a new cybersecurity training center, and Maryland, which among other things is building a curriculum for junior colleges throughout the state, qualifying students for entry-level cyber positions.
In addition, Bethesda, Maryland-based SANS Institute has won a grant from the state to launch a local cybersecurity workforce development program. And the Maryland Cyber Skills Alliance, another Maryland cybersecurity workforce training program, is starting a formal effort this month to train people from underserved populations seeking to break into cybersecurity. The Alliance also has a state grant in hand.
A Cybersecurity Peace Corps
Another good idea would be the formation of a government-run Cybersecurity Peace Corps, focused on the creation of nascent cybersecurity jobs. This idea has been proposed before, but it has gone nowhere, partly because it would require an act of Congress. This idea, in particular, has plenty of merit and should be resurrected and substantially backed and lobbied for by the cybersecurity industry.
In addition, technology companies -- criticized frequently for inadequate in-house cyber training and investing too little effort in skills upgrading -- should take a good look at what IBM is doing to stimulate more employable cybersecurity talent. It creates what it calls “new collar” jobs. These prioritize skills, knowledge and willingness to learn over degrees. New collar employees pick up the necessary skills through on-the-job training, industry certifications and community college courses. They represent 20 percent of IBM cybersecurity hires since 2015.
Still more ideas are needed because of the size of the worker shortage. Between September 2017 and August 2018, U.S. employers posted nearly 314,000 jobs for cybersecurity pros, compared to a monthly job opening average of 209,000 in 2015. If these could be filled, that would boost the country’s current cyber workforce of 714,000 by more than 40 percent, according to the National Initiative for Cybersecurity Education. In the scheme of things, this is still the equivalent of pocket change.
3.5 Million Unfilled Cyber Jobs Grows Globally
The number of cyber job openings is certain to keep growing, and at an accelerated pace. According to Cybersecurity Ventures, there will be 3.5 million unfilled cybersecurity positions globally by 2021 – up from 1 million in 2014.
Companies are trying to cope in part by relying more aggressively on artificial intelligence and machine learning, but this is still at a relatively nascent stage and can never do more than mitigate the problem. Big companies have their hands full, and it’s even worse for smaller enterprises. They’re attacked more -- sometimes as a conduit to their larger business partners – because their defenses are weaker.
What’s needed from Candidates Today
It’s no secret that companies in need of cybersecurity talent typically want people with a bachelor’s degree in programming, computer science or computer engineering. They also like to see academic backgrounds full of courses in statistics and math. Also a big plus, predictably, is some experience in the most sought-after employment areas.
No question, the people with these backgrounds are ideally qualified. But that’s the problem: a flock of ideal candidates isn’t realistic. Many people without such stellar backgrounds can still do the job if they show motivation, express a willingness to learn and are given a chance. Cybersecurity employers have long embraced people with nontraditional backgrounds. Almost no cybersecurity pro over 30 today has a degree in cybersecurity and many don’t even have degrees in computer science.
Professionals need some training to become familiar with select tools and technologies – usually at a community college or cyber boot camp -- but even more they need curiosity, knowledge of the current threat landscape and a strong passion for learning and research. Particularly strong candidates have backgrounds as programmers, systems administrators and network engineers.
Multiple efforts to improve cyber training on multiple fronts are obviously under way, but the U.S. can still use substantially more assistance. Companies must realize, for example, that smart, motivated employees can largely learn on the job. Certificates and/or degrees can be obtained later. You can quibble with some likely drawbacks. One is that existing corporate cyber pros no doubt already have their hands full. But clearly there is no option available at this point but to embrace any and every solution that may be helpful.