The global cybersecurity workforce will have more than 1.8 million unfilled positions by 2020, according to a 2017 report by Frost and Sullivan. But to date, employers have been slow to change their hiring behavior to reflect the pace at which the cyber industry is evolving. The ACSC Collaborative Cyber Defense study echoes this problem, finding that while all organizations seem to face a significant shortage of cybersecurity personnel, they struggle to identify those with the skills needed to address critical needs.
Our study found what many security executives anecdotally already suspected, that the cybersecurity talent market is highly competitive and fragmented. Where industry attempts to address the problem by turning to higher education, the ACSC study found that relationships between enterprises and academia tend to be bilateral and institution-specific, unlikely by themselves to match the talent problem’s scale. This presents both a challenge and an opportunity for organizations to collaborate with educational institutions in new ways to expand the cyber workforce. Collaboration initiatives around workforce development, similar to the partnership between the ACSC and the Cyber Education and Training Consortium (CETC), can powerfully impact the cyber talent pool in both the short- and long-term. Through this partnership, discussion is helping the ACSC define a new strategy for cybersecurity workforce development in New England.
Following completion of the Collaborative Cyber Defense study earlier this year, the ACSC hosted a Workforce Development Forum to bring together educational program representatives and security executives to discuss modern challenges and opportunities for building the next generation cybersecurity workforce. Below are some key takeaways which echo the findings of the research commissioned by the ACSC.
Barriers to Entry for Both New and Experienced Hires
While job data suggests new security practitioners should have no trouble getting hired, our study suggests that the entry point challenge is particularly severe. Given the natural preference of enterprises for experienced candidates, even highly motivated candidates can be challenged to get the first couple years of experience that will give them more credibility and make them more effective. Our research as well as anecdotal evidence from ACSC members indicates that students are struggling to find strongly aligned job placements. Candidates with limited work history find it challenging to get employers to trust they have the skills to do the job over more experienced hires. This seems to be true both for new talent emerging from undergraduate programs, but also experienced professionals leveraging graduate degrees to transition into security roles. More collective effort from security managers, executives, and curriculum developers would help provide baseline information for anticipating the most accessible career entry points for new cybersecurity practitioners.
Curriculum Focus does not Reflect Industry Demand
There continues to be a disconnect between cybersecurity educational programs and industry needs. Current curriculum is not meeting the needs of employers and qualitative results from a study done by the ACSC and CETC of cyber security curriculum in New England indicates students prefer to fill “red team” roles where the emphasis is on vulnerability identification and penetration testing but less than half of the study respondents reported their students are prepared to fill “blue team,” or defensive roles. In addition, ACSC members state they are seeing potential employees missing fundamental programming skills such as working at the command line and the ability to write scripts as well as a broader range of competencies including communications, success from failure, behavioral economics, and risk management.
Curriculum needs to evolve at all levels (vocational, certification, and higher education) but industry engagement is critically lacking. A collaborative approach to foster talent development by participating in and facilitating co-ops, internships, and other hybrid experience programs with universities can be valuable when hiring cyber talent. But, this is one part of the larger collaboration imperative. A curation of programs, what jobs are needed and when are just some of the data points that can help broaden and widen the collaborative approach inclusive of organizations of all sizes. The ACSC encourages and helps to facilitate the dialogue between industry and education at all levels to fill the gap between education and valued employee.
Modern Recruiting Systems Favor Antiquated Talent Assessment Models
Recruiting processes at companies often make it challenging to channel cybersecurity talent. Recruiters may not understand how to evaluate prospective employees and hiring managers most likely do not have the bandwidth to provide education and training to help them. With more and more students opting for a cyber career path, the way people are entering cyber is changing and our educational pathways should reflect that by taking the opportunity to “build a better student.” Success will depend on building new, scalable, community-level models to accelerate placement of a more diverse set of candidates which types of people entering the profession AND the types of career paths they choose.
ACSC and CETC Working to Expand and Improve Cyber Talent Pool
The CETC launched in 2017 as a partnership between the ACSC and the University of Massachusetts. It is a group of 36+ colleges, universities, and training programs all working towards improving the cyber talent pool to meet demand both locally and nationally. Together, we support our members driving and supporting change in workforce development within the cybersecurity community at large. Through advocacy, dialogue and research such as our Collaborative Cyber Defense study, we look forward to help expanding the cybersecurity workforce.