A new way to ensure government and industry have enough cybersecurity people

"We could view cybersecurity as an entry level problem, but it is probably more of an intermediate and advanced role problem," Keith Clement said.

If education and workforce training are key to developing the cybersecurity workforce then one group thinks it has the answers. The Advanced Technology Academic Research Center, or ATARC, has published a detailed plan, what it calls a workforce development pipeline and pathway strategy. Joining the Federal Drive with Tom Temin with more, California Sate University Professor Keith Clement.

Interview transcript: 

Tom Temin If education and workforce training are key to developing the cybersecurity workforce, then one group thinks it has some of the answers. The Advanced Technology Academic Research Center, ATARC, has published a detailed plan, what it calls a workforce development pipeline and pathway strategy. Joining me with some of the details, California State University professor Keith Clement. Dr. Clement, good to have you with us.

Keith Clement Good morning, Tom. Thank you for having me today.

Tom Temin And, well, what are the, I mean, we talk about this a lot, the workforce shortage, and there’s not enough cybersecurity people, not enough training going on. What is the real challenge, do you think? Put it in some terms we can come to grips with.

Keith Clement Tom, I think that we could view things as a capability gap, you know, just not having enough employees to fill out our information security teams. We could view it as a matter of those folks. Not having the skill set necessary for 2024 is advanced threat environment. And I think that thirdly, we could really look into the issues of the transition from the preparation process to actual employment process. And I think those are three key issues.

Tom Temin Yeah. So the capabilities is just sheer capacity. You mean and do we have enough bodies potentially even for this challenge globally?

Keith Clement World World Economic Forum estimates there are over 4 million cybersecurity jobs available. And in the United States, we have about 450,000 cyber jobs that are currently open. You could look at larger states that could have easily 50,000 or 60,000 job openings there. You can look at Silicon Valley or specific regions to have 20,000 or 25,000 jobs available. You could really view this in any way that you wanted to. It is a national security issue. It is a national economic security issue. And I think that one of the misnomers out there, Tom, unfortunately, is a lot of folks think that you can just go to a couple of classes over the weekend and by Monday morning, you’re the chief information security officer of a major U.S. Corporation or a federal government agency. And it’s actually a rather detailed process, right?

Tom Temin And cybersecurity jobs cover the gamut from if you are a so-so, you’re probably not sitting in the security operations center looking for alerts personally, but yet sitting in the security operations center and looking for alerts. That is a job. So it really is from the highly technical keyboard pounding to management and planning.

Keith Clement But I Tom, I think he hit the nail on the head right there that we could view cybersecurity as an entry level problem, but it is probably more of an intermediate and advanced role problem. We really have problems with burnout and keeping people in the field for long enough to be senior personnel in these respects. And on a separate but related issue, I think that the state of cybersecurity management, it is also it very much in question. We just do not have the managers nor, you know, nor the executives or the entry level folks. And it’s a problem.

Tom Temin And you mentioned there is the preparation because there are lots of schools that offer comprehensive cybersecurity training. But then the employment, there’s kind of a valley of death there, it seems like.

Keith Clement Worse than a valley of death, at least in the valley of death. Some may end up taking hope. But at the end of the day, in this area, the level of frustration and anxiety of potential candidates getting into the field almost rivals the stress and the pressure and the skeleton crews they likely face when they actually get on the job. I mean, I think that only about two thirds of cybersecurity jobs are filled out. How good does any team do with two-thirds of a squad? Right. I mean, one or two people go out on vacation and the office is in chaos. I mean, somebody gets sick, heaven forbid. I mean, just serious problems. But I think there’s three steps of the preparation process that folks need to think through about getting into the world of cybersecurity. One, as you mentioned, is the education, the four year degrees and the master’s degrees and all that. And so the second is the reliance on industry based professional certifications that are critical in IT and in cyber and growing. And I just to put that out there. And third, I think the valley of death that you refer to is there are so few opportunities for workforce development in this area, like lacking internships, lacking apprenticeships in those opportunities, that that’s really a barrier that a lot of folks have a hard time overcoming. It’s the chicken or the egg, right? I need the job. Well, you have to have the work experience to get the job. And it is a tough cycle right there.

Tom Temin We are speaking with Dr. Keith Clement. He’s a professor of criminology at Cal State, Fresno. And by the way, how does a criminology professor get into the cybersecurity business?

Keith Clement I appreciate, Tom, that question deeply. I get it an awful lot. The first issue, of course, is the relationship between cyber crime and cyber terrorism as it relates to the world of criminology that is fast paced and rapidly changing. I think that there are a lot of malicious actors out there that think that it’s easier to conduct Internet scams and ransomware attacks than it is to put a gun in somebody’s face or on a street corner and face hard time in prison. So, the folks engaging in cyber security is a criminological component. But I think what you’re really suggesting here is something else. That is what is a criminologist doing in a technical and specialized area of cybersecurity. And I would just say that machines do is they’re told that the real problem in all of this response was were 90 to 95% of breaches and all of these other things is the human element of it. And and and not only that aspect of the human development, but it’s critical to think of education and workforce development is bringing many different silos or many different groups of folks that don’t play very well in the sandbox, as they say. And it’s really been a challenge to bring industry higher education K to 12 community based organizations, the public sector. It’s been really hard to bring all of those actors together that have to be present, sure of a career pipeline pathway.

Tom Temin And give us the top line view then of what ATARC has come up with for some solutions to the capabilities, skills and an employment gap.

Keith Clement So speaking to our federal friends and colleagues, I think that there are at least two significant contributions of that HR report that would that that should garner some attention. The first is actually related to a framework to assist K-12 and higher education institutions and technology services offices on a framework by which they can use to assist them in developing additional cyber awareness and preparedness training types of programs. On the education side, I suspect that the long dominance of a cyber or specialized degree program is probably a question mark these days. One of the key aspects of the task report is the development of a traditional or academic pathway into cybersecurity. The one that your your viewers are most familiar with, like the four year degrees and you get a handful of top tier certificates and then you get a one year apprentice somewhere and then then voila, you’re in the job of your dreams, but also a nontraditional pathway that is that, in all fairness, a highly specialized Stem degree program and in anything super technical and specialized is going to rely on calculus and significant. You know, not everybody can get a master’s or a bachelor’s degree from MIT and computer science. Right. Right. The reality of the world. And and if we’re going to rely only on degrees as a pathway into federal employment in this matter, we’re going to just have. So instead, what we need to do, as the report suggests, is the development of a nontraditional pathway that replaces, in essence, the academics with certifications and hands on skills and training and a workforce model to include either internships, paid internships or the a registered apprenticeship model through the U.S. Department of Labor, USTR. Right.

Tom Temin And that’s similar to what the Biden administration has been really pushing right in several areas is skills based hiring where appropriate and not degree based and KSA based or I guess the middle word of KSA is skills.

Keith Clement I think that one of the misnomers out there in the cyber world is the the dynamics of the new tools and knowledge and skills. I mean, if you are a information security trained individual from 15 or 20 years ago, you’d probably wonder what the heck is going on around here because it’s changed dramatically and it’ll change tomorrow. And we could just as easily talk about the impact of artificial intelligence on on these matters, the convergence of A.I. and cybersecurity, and in a broader sense, and then in a very, very narrow sense, the utilization of AI in cybersecurity, right? I mean, red team, blue team activities. So I think there’s a lot going on in this space these days. I’m sure you would agree this is a critical area. I think another area of interest to to your viewers is this idea that these traditional nontraditional models are not exclusive by any means, but in many ways are complementary and kind of intertwine amongst themselves. This is a difficult position. This is a difficult sector to break into. As they say, you know, socialization and professional networks go really far here, too.

Tom Temin All right. Lots of good ideas in that report. Dr. Keith Clement is a professor of criminology at Cal State Fresno and also principal author of the ATARC white paper. Thanks so much for joining me.

Keith Clement Tom, Thank you so much. Pleasure’s all mine. Have a great day.

Tom Temin And we’ll post this interview along with a link to the white paper at federalnewsnetwork.com/federaldrive. Hear the Federal Drive on demand. Subscribe wherever you get your podcasts.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more