Urgent Need for Cybersecurity Professionals Grows
The projected shortage of skilled workers is increasing to nearly 2 million.
The cybersecurity workforce gap is real, and it’s growing. Based on a state-by-state analysis on CompTIA’s cyberstates.org, there are currently 320,000 open cyber jobs in the United States. By 2022, the projected shortage of cybersecurity professionals worldwide will reach 1.8 million, according to the Center for Cyber Safety and Education.
The challenge for government agencies in the United States to recruit and retain talent is mammoth. A June 2018 report by the U.S. departments of Commerce and Homeland Security noted, “The United States needs immediate and sustained improvements in its cybersecurity workforce situation.”
Lengthy security clearance delays and onboarding processes, along with low pay and a knowledge gap about specific workforce needs and education programs, have severely impacted the total number of cybersecurity workers across the country.
Shortages exist for nearly every position within cybersecurity. Most alarmingly though, the greatest need is for highly skilled technical staff. In 2010, the Center for Strategic and International Studies’ (CSIS) report “A Human Capital Crisis in Cybersecurity” found that the United States “not only [has] a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code and create the evermore sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.”
By 2016, CSIS found that things hadn’t improved much. Information technology professionals still consider technical skills such as secure software development the most difficult to find among cybersecurity candidates.
Rob Joyce knows all too well there is not enough skilled talent for the growing need of the cyber community. As senior cybersecurity strategy advisor to the director, National Security Agency (NSA), and former cybersecurity advisor to the president, he thinks “we need to make systemic changes to address [the] gap.”
Speaking to attendees at AFCEA’s second annual Cyber Education Research and Training Symposium (CERTS) in January in Augusta, Georgia, Joyce emphasized the need for formal and informal education, diversity in cyber and continuous learning as a starting point.
A key element of his long-term national cyber strategy is formal education. “We need to get people into that education pipeline,” Joyce said. “Less than 65,000 people will graduate with undergraduate degrees in computer and information science fields. That’s not cybersecurity. That includes all [information technology] and computer science students across the country. That’s a scary figure when we say we have more than 300,000 open jobs,” Joyce stressed.
What’s more alarming is that of those 65,000, only 12,000 are women. Even fewer are minorities. “I think if you are looking for a strategic lever that the nation has to pull, the first thing we have to do is balance that pipeline out to represent our population,” he said.
The International Information System Security Certification Consortium (ISC)2 reported in 2017 that women continue to make up only 11 percent of the information security workforce worldwide, and only about 14 percent in the U.S. Research conducted by the Center for Cyber Safety and Education and the Executive Women’s Forum on Information Security, Risk Management and Privacy also found that despite women in cybersecurity having higher levels of education than men, fewer hold senior-level positions, and they earn less money.
Joyce believes that needs to change if the cyber community hopes to make a dent in the skills-gap crisis.
“If we can get women into the computer science/cybersecurity field at the same level as men, we will see a substantial increase in that pipeline,” Joyce stated. “It’s the same for minorities. If the computer science outlook looked like the demographics of our country, we would up those numbers [in the pipeline] significantly.”
Another component to review is informal education. Many times the best cybersecurity professionals are not a product of formal education but are uniformed military. “They get significant exposure and come out of their service with huge talent but no degree,” Joyce said.
Industry is starting to see that pipeline, but government needs to consider these types of candidates seriously. That means devising new and creative ways in the human resources process at the NSA, which in the government is not easy. “We need to use all of our society,” Joyce said.
Brig, Gen. Dennis A. Crall, USMC, deputy principal cyber advisor, Office of the Secretary of Defense, who also spoke at CERTS, agrees. “The biggest killer to onboarding is the security clearance process,” he said. Though he hasn’t seen much progress in reforming it, Gen. Crall is more convinced than ever that there will be movement soon.
In 2019, the Defense Department hopes to build and manage its workforce from a coding and training perspective. “We’re trying to get an idea of what we own and what we have,” the general said.
Position descriptors have proven unreliable. “Our forces are growing, and we don’t necessarily have good accountability of how people work,” he said. Coding and common standards will help greatly. The idea is to get more out of existing security resources, not just adding more. “The key is being smart and hiring the right people,” the general added.
He echoed similar sentiments about lengthy security clearance delays at the National Security Technology Forum and Exposition, a joint effort between the University of California San Diego and AFCEA, in February. “We bring people on and they’re all excited until they’re here six months and no longer excited because they can’t work on a project. If they went out to industry, they might work on a project in days, but for us it’s months, and it’s a job killer,” he stated.
Gen. Crall also lamented that the department has not yet taken full advantage of internships. He suggested the intelligence community uses internships much more effectively—in some cases recruiting employees straight out of high school and nurturing them along. Why can’t the cyber community do the same?
The military already is taking some steps toward change. Recruits with cyber expertise can enlist as commissioned officers, for example, and a program known as Cyber Excepted Service allows the military to offer incentives to personnel with cyber experience.
The NSA has started working with some universities to give credit for the internal training they do as well. “Now people who have been hackers inside the military have a head start to a full degree where they only have to complete a little more coursework to get a bachelor’s degree or certification that recognizes the training they received in the military,” Joyce said.
Cyber topics are not static. “We all need to make a commitment to lifelong learning,” Joyce stressed. The people who are the best in this field never stop learning. And the best assessment is not always the grades they got in their cyber classes or a test of what technology they know.
“It’s a simple question of how do you spend your free time? If you show me somebody who has a Raspberry Pi they play with on their own, out of self-generated interest, we find those people top the charts when we give them opportunities to learn. They come out on the other end just being rock stars,” he said.
Joyce sees early STEM education as another key component to filling the cybersecurity gap. “We need to be inspiring our kids into these [STEM] disciplines so they want to be cybersecurity professionals,” he said.
The NSA has invested in ways to do that. Its GenCyber program provides summer cybersecurity camp experiences for students and teachers at the K-12 level. The goals of the program are to increase interest in cybersecurity careers and diversity in the cybersecurity workforce, and improve teaching methods for delivery of cybersecurity content in K-12 curricula.
The program began in 2014 with eight camps but has since ballooned to 150 camps in 43 states this past summer, according to Joyce. The better news: 43 percent of GenCyber campers were female and 50 percent were minorities or economically disadvantaged students.
To ensure a level playing field, GenCyber camps are open to all student and teacher participants at no cost. Funding is provided jointly by the NSA and the National Science Foundation.
“Last year we could have done 300 camps if we had had the funding and support,” Joyce stated. And that’s where he sees the challenge for industry. “Think about what you could be doing. Develop [or donate to] a high-leverage activity like these cyber camps where we are teaching teachers and exposing STEM to minority and female students who might otherwise not be inspired,” he said.
The NSA hopes the GenCyber program will be part of the solution to the nation’s shortfall of skilled cybersecurity professionals. Ensuring that enough young people are inspired to direct their talents in this area is paramount to the future of the country’s national and economic security.
For more information on the Cyber Education Research and Training Symposium and the National Security Technology Forum and Exposition at West visit www.afcea.org/site/events/past-events.