The (ISC)2 Workforce Study was released last week and the numbers continue to be grim. The study finds there is a cyber workforce shortage of nearly three million worldwide and just shy of 500,000 in the United States.
If you work in cyber, especially at an ISAO like the ACSC, then you are well aware of the top-line numbers and probably spend a lot of your time talking about it with both educational institutions and with organizations looking to hire. If you dig deeper, you’ll see a lot of opportunities to quickly leverage the current workforce, bring new cybersecurity pros into the field, and leverage existing infrastructure to quickly close the skills gap.
The Current Cyber Workforce Wants to Learn
We often say this isn’t a static career path, you can’t grab your baccalaureate or certificate and hop into a job, never to crack open a book again. Successful security professionals are constantly reading and networking with peers to stay up to date on the latest threats and industry developments. But what the (ISC)2 survey shows is a vast majority (86%) of respondents are currently pursuing or plan to pursue additional certifications to help further their careers. In full transparency, (ISC)2 develops and administers the CISSP exam and of their survey of 1,500 cyber professionals, 17% were members of (ISC)2. In addition, workers who already have certifications in their field need to maintain those certifications through continuing education to stay abreast of industry changes.
Employers have an opportunity to support those workers by assisting them as they work to achieve their goals. Organizations with a cyber workforce should assess the skills gap they have, look to see what workers are interested in filling those gaps, and then support their education, either through certifications, conference attendance, or university degrees. This is a win/win situation where workers improve skills and job satisfaction and the organization reduces turnover, improves resiliency, and reduces risk.
We Can Cast a Wider Net
Employers often lament the dearth of candidates available to them, but the high demand, high-value skills open the door to a wide array of people looking to enter into cybersecurity. The list includes:
Governance, risk management, and compliance
Risk assessment, analysis, and management
Obviously, technical skills are still critical, but governance and risk analysis and management are considered some of the most important skills to develop for organizations. As employers assess their cyber workforce they should take into account these critical skills and see how they can develop them from their existing employees or hire them into their organization. An effective risk manager can not only improve resiliency, but also provide ROI as they find cost-effective ways to improve security, decrease risk, and potentially improve trust in the marketplace for their organization.
Non-Traditional Look at Technical Skills
Ask a cyber worker how they got there and you will often find a circuitous route and the phrase “I just sort of fell into it.” While plenty of people still come into cyber through life experiences, many are now actively choosing a cyber career and an entire industry has grown around them with certifications, bootcamps, conferences, and university degree programs.
On the job training is still crucial, particularly when you consider the wide array of security platforms available, every environment has a unique twist that must be learned simply by working within the organization. But, those looking to break into cyber and those looking to move to the next level can actively take their career in their hands by reviewing the options available to them.
Organizations like the CETC (Cyber Education and Training Consortium), which is a consortium of 36+ colleges, universities, and training programs actively work to improve education options. The CETC actively seeks input from industry to design the right courses that local organizations need. There is nothing more valuable than a multi-billion dollar company sitting down with a handful of local colleges to talk about exactly what they need for skills. Even better, often those working professionals can go into academia, teaching a course or two, to help train that workforce.
Finally, we need to move into diversity. As the study notes, 24% of cybersecurity professionals are women and that number is expected to grow, but we also need to focus on socio-economic diversity. Effective ideas include exposing young students at middle school and high school levels to cybersecurity, providing scholarships and grants to help diverse students onto a career path, provide an array of learning options from traditional classrooms to online learning, and active recruitment by universities and industry to bring diversity into the sector.
Since cyber professionals come from a range of backgrounds, a common obstacle we hear from hiring managers is that HR isn’t sure how to screen for the best employees. Often HR requires a four-year degree which eliminates a large percentage of the workforce. Another complaint, are “jack-of-all-trades” job descriptions that seem to look for unicorn candidates who can handle everything from patching systems to representing the company in legal disputes. Cyber professionals need to work patiently with HR resources to educate them on clusters of job skills and how to accurately screen for viable candidates.
The top takeaway from our Collaborative Cyber Defense study conducted in partnership with McKinsey and Mass Insight Global Partnerships in 2017 shows that a top-down approach to cybersecurity -- working from the board and the C-Suite -- is the best way to improve resiliency in an organization. C-Suite guidance can provide:
Using risk assessment wisely to steer budget and resources
Help manage sticking points within the organization, like hiring, to streamline employee onboarding
Improve incident response and preparedness across the organization
We at the ACSC focus a great deal of time on workforce development and will continue to do so into 2019 and beyond. We are actively fostering communications between education, hiring organizations, and the workforce to help fill those 500,000 open positions. We believe with some strategic planning and resources that we have a good opportunity to be a leader in New England for the rest of the country.