Advancing Cybersecurity Training and Skills in an Industry Faced With a Talent Shortage

The cybersecurity skills gap is a real and growing challenge in the United States. The total employed cybersecurity workforce in the U.S. consists of 1,53,468 people – with nearly 600,000 currently unfilled positions, according to Cyber Seek, a project sponsored by the National Initiative for Cybersecurity Education, which is part of the National Institute of Standards and Technology.

By next year, there will be more unfilled cybersecurity roles in the United States if we don’t start thinking – and acting – differently about how we identify and develop talent. We have identified four major trends that are contributing to the gap:

1. The growth in demand for skills is significantly outpacing growth in supply;
2. We are leaving large pools of skilled candidates untapped;
3. The complexity of employer requirements means more than half of applicants are considered “unqualified”; and
4. There is low awareness of opportunity, fit, and career paths for the general population.

Cybersecurity jobs will be among some of the key roles that drive post-pandemic job recovery over the next five years, but can we close the gap on growing a robust cybersecurity workforce?

The Skills Gap Decade

This year capped a global cybersecurity skills gap decade with, evidently, no singular reason behind it. In 2010, the Center of Strategic and International Studies (CSIS) declared that the U.S. lacked cybersecurity experts across the business and government sectors of the economy. As the decade wore on, globally, cybercriminals operating through state-sponsored hacking groups continued to steal billions. By 2016, researchers had agreed that the problem was no longer domestic and that a worldwide gap was present. In today’s Coronavirus environment, the necessity for a remote workforce is extending beyond 2021, and that alone enhances the risk landscape for many businesses, which will have to step up their cybersecurity to safeguard their data. But how will they identify needed cybersecurity professionals? By some accounts, globally, next year’s businesses will need as many as 1.8 million hi-tech professionals to operate and support deployed systems.

Four Major Trends Contributing to the Cybersecurity Skills Gap

There are four major trends that are contributing to the gap as suggested by a 2018 Aspen Institute report:

1. Increasing demand for workers with cyber skills is outpacing the supply. The current demand for cybersecurity professionals far outpaces the number of available cybersecurity workers. In the U.S., the national average is 68%, meaning that there are only enough cybersecurity workers in the United States to fill 68% of the cybersecurity jobs that employers demand.
2. We’re leaving large pools of skilled candidates untapped. For example, women comprise 43% of full-time labor in the U.S. workforce, but at 11%, are severely underrepresented among all cybersecurity workers. Ten million returning armed forces, often pre-security-cleared, may be a robust resource of skilled candidates that could be trained for cybersecurity careers. There may also be pools of potential candidates in new geographic “tech hubs.” These are folks living outside traditional coastal tech hubs; they may have a bachelor’s degree and can be trained for cybersecurity.
3. Overly complex employer requirements may disqualify applicants who may be technically qualified. Cybersecurity jobs often require more education, experience and certifications than other IT roles. Employer demand is for those who have top-level certifications, which require five or more years of experience. Not all roles require the same amount of training and certifications, although employers are posting hiring notices as if they all required high-level certifications. It’s called over-spec’ing. Some roles do not truly need a bachelor’s degree but those roles are posted with a degree as a requirement. Unnecessary security clearance requirements can also delay hiring.
4. General populations are unaware of cybersecurity opportunities. Awareness of cybersecurity as a profession is generally low, and outreach is scant due to scattered populations while wide-open cyber career spheres await. However…Several diversity-focused organizations have emerged in recent years and are trying to educate students.

The Employer Perspective

Employers want graduates with cybersecurity foundations — specific knowledge sets and skills. These are vital technical work roles:

• Understanding computer architecture, data, cryptography, networking, secure coding principles and operating system internals;
• Proficiency with Linux-based systems;
• Fluency in low-level programming languages;
• Know common exploitation methods and mitigation techniques;

Increasingly, to close the gap, employers are building relationships with local educators and hiring cybersecurity applicants with nontraditional backgrounds. Organizations are also considering establishing internal retraining programs to draw from existing talent pools. These platforms undergird all sectors.

Think-Tank Perspectives

Gartner estimates a current environment of more than 900 different cyber career profiles. It’s 2021 research on cybersecurity in organizations focuses on the urgency to treat cybersecurity as a business decision and the slowing of cybersecurity spend, which is projected to decline 7% by 2023.

The Aspen Institute’s principles propose pipelines to expand and sustain the U.S. cybersecurity labor force through emerging technologies such as the Internet of Things (IoT). These simplified models, with transparency, can leverage the NICE Cybersecurity Workforce Framework:

• Adjacent technical professional skills for hiring and training;
• Launching apprenticeship programs to train candidate pipelines at scale; and
• Maximizing your impact by partnering focus on scale.

Successful Programs for Preparing the Workforce

The annual U.S. Homeland Security Cyber Challenge (USCC) fulfills its ranks by seeking the best 10,000 U.S. networks.

Its two complementary initiatives are the Cyber Quests online challenge series and week-long Cyber Camp programs for aspiring cyber professionals.

• NICCS Partners, The National Initiative for Cybersecurity Careers Studies, in lead cybersecurity training and workforce development. This cybersecurity career path can be elusive; its groups and specialty areas:
• High-level grouping of common cybersecurity functions;
• Distinct areas of cybersecurity work;
• Detailed groupings of cybersecurity work comprised of specific knowledge, skills and abilities; and a backlog to come from audiences listed in NICCS.

The National Centers of Academic Excellence in Cybersecurity (NCAE-C) needs further cybersecurity education, to protect critical infrastructure. This workforce needs support through these essential skills.

The Workforce Framework for Cybersecurity (NICE Framework) is Cyber Operations (CAE-CO) via inter-disciplinary computer science, computer engineering, and/or electrical engineering disciplines. NICE should gather educators, employers and cybersecurity competition providers.

Major sponsors are CIS; CISQ; MacAfee; Google; Verizon; Deloitte; Dell-Technologies; GDIT; Trustwave; Microsoft and others.

• The National Institute of Standards and Technology (NIST) Apprenticeships in cybersecurity for various stakeholders (government, employers, intermediaries, educational partners) to build and sustain cybersecurity: apprenticeships in cybersecurity-related occupations;
• Analysis of work-enhanced learning models;
• Return on investment;
• Apprenticeship in ecosystem integration & scaling; with more approaches to create cybersecurity professionals.

New standards emphasize instruction for computing fundamentals, engaging hands-on learning. You and your colleagues can adopt or adapt programs.

Fostering Cybersecurity Training and Skills Growth

The remaining gaps exist in the nation’s current cybersecurity education and training landscape. For large organizations, cybersecurity training typically involves a Board of Trustees investing in cybersecurity training. Growth going into 2022 will be strong, and we can expect to see roughly 600,000 new jobs created by 2026.

Ways in which organizations can widen cybersecurity worker pipelines include:

• Flexibility on requiring a four-year degree;
• Accepting associate’s degrees and completed high school;
• Cyber Challenge (USCC);
• More diverse and inclusive candidates;
• Require some level of knowledge or skill;

For individuals moving into cybersecurity, if you don’t have a technical background, some training online is free with Cybrary and CISA resources. Even some pre-med and psychology students, auto mechanics, artists and stay-at-home moms have migrated to cybersecurity. As an emerging professional, you’ll need technical training across four fundamental cores:

• Secure system design — developing infrastructure;
• Incident response — managing an IT aftermath;
• Tool development — implement secure configurations;
• Penetration testing — simulated cyber-attacks;

There are also high-skilled technical training programs available at cost, and several are building robust pipelines for cyber capacity. Through programs such as these, the tendrils of a cybersecurity workforce are attaining industrial levels.

Finally, automation, the next frontier in cybersecurity, may be an effective way to deal with the cybersecurity skills shortage. For all workflows, automation would eliminate uncertainty at all steps — “100% confidence in the tools.”

Barry McPhee is a guest blogger.