A new report aims to put to rest the question of whether a national and global shortfall of cybersecurity talent is a genuine problem: Several hundred global IT leaders answered with a resounding “yes,” with the vast majority saying government inaction is partly to blame.
The study, developed jointly by the Center for Strategic and International Studies and Intel Security, shed light on the extent to which the talent shortage is a problem not just for government agencies, but also for private companies who are usually able to vastly outspend the salaries the public sector can offer.
Of the corporate and government IT professionals surveyed in the U.S., the U.K., Australia, France, Germany, Israel, Japan and Mexico, 82 percent said they’re unable to fill open jobs with adequately trained and experienced people, and don’t see the picture improving. On average, they expect 15 percent of their critical cyber positions to remain unfilled by the year 2020.
Of those surveyed, 71 percent said the shortage was already causing direct and measurable damage to their organizations.
“When you have so many positions that aren’t filled, in all probability that means the people you do have are working 24 hours a day and headed for burnout, or they’re not quite as alert the next morning as they might have been,” said Candace Worley, the senior vice president and general manager of Intel Security. “It also means there are things that aren’t getting done. You’re probably going to devote your cyber workforce to the things that are most critical like responding to cyber incidents and breaches that have already occurred, because those are the things you can’t ignore. The less-critical things like patching operating systems and applications are probably going to get traded off.”
As to the reasons for the shortage, 76 percent of IT executives said the problem was caused, at least in part, by the fact that their governments weren’t investing enough in training a workforce with cyber skills.
“The respondents felt, universally across the globe, that governments weren’t doing enough to help build the cybersecurity talent funnel,” she said. “Companies like ours are trying to be proactive in partnership with governments and with other vendors to solve this problem, and part of the answer is to start doing things in schools at a relatively young age. Getting students aware that cyber is an issue and that security is an issue when you’re online starts to plant that seed that computers are more than gaming consoles or social chat. Hopefully, that helps us to have a discussion with them once they get to high school and college about cybersecurity as a career.”
Dr. Phyllis Schneck, the deputy undersecretary of Homeland Security for cybersecurity, said while her workforce within the National Protection and Programs directorate is top-notch, it’s undersized, partially because of the inadequate pool of job candidates.
She said the department is trying to make inroads against the problem by creating more opportunities for workers to move back and forth between the private sector and government — a strategy that’s also better suited to the workforce preferences of a “millennial” generation that sees no particular value in staying in one job from college graduation until retirement.
“We want people to be able to get the chance to work in the private sector — build big things and innovate and understand building and shaping a market — but also work in a place like DHS where you’ll see things like you’ve never seen before,” she said. “I can tell you that being in our shop trains you that sleep is overrated. You constantly run, you’re constantly excited, and you will come out of that with the sharpest skills you’ve ever had in your career. We want to give those skills to young students and let them transfer those to the private sector after a tour of duty. Our management directorate calls this a ‘passport,’ so you might not have to do all the forms every time, you just move in and out of the government every couple years. If we do this right, they’ll be making the most money when their kids go to college so that it’s not a financial issue, but you’ll still have seen the best of industry and the best of government.”
Schneck said DHS is also looking for ways to use government funds to pay for students’ college education in exchange for a commitment that they stay in a federal cyber position for a certain period of time.
“Another approach is we would figure out a way to help them in a career path that would be mentored and guided by both the government and the private sector,” she said. “We would build on the success of a program we co-fund with the National Science Foundation called Scholarship for Service. Almost all the students who’ve worked at DHS through that program have said they want to come back.”
An approach that used government positions and scholarships as the launching pad for a cyber career would seem to address another key finding in the CSIS-Intel survey, in which a majority of executives said they wanted job applicants to have a minimum of a bachelors’ degree in a relevant field, but that real-world training and experience put certain candidates above others.
“A technical degree was sort of the third priority for them in deciding whether someone was qualified for a job,” Worley said. “They ranked things like professional certifications and hacking competitions and experience as more important.”
The federal government has been trying to address the broader challenge of quantity and quality within the U.S. cybersecurity workforce for several years. Its main vehicle has been the National Initiative for Cybersecurity Education, led by the National Institute of Standards and Technology. The NICE framework, first released in April 2013 is due for an update, expected to be released this fall.
Rodney Petersen, the director of the NICE initiative, said it aims to boost the U.S. cybersecurity workforce by expanding the pool of potential job candidates beyond 20-somethings who’ve just graduated college with a technical degree.
“Someone going through K-12 schools and then a university and then to an employer is not the only pathway to getting into cybersecurity, even though we certainly want to invest in that,” he said. “But there are others, including the fact that a lot of professionals could change jobs mid-career and already have a bachelors degree in a field like psychology and want to get some skills and training. Our goal is to nurture a diverse workforce, but also to accelerate learning and skills development. We also have to recognize that the training that’s happening in our high schools and community colleges are sometimes of as much value as what happens in a traditional university setting, so we need to think much more broadly about the diverse learning community, not just the traditional pipeline.”